| Rule Title | Rule Author | Ruleset Name | ID | #Files | #Undetected Files |
|---|---|---|---|---|---|
| Creation of an Executable by an Executable | frack113 | Sigma Integrated Rule Set (GitHub) | b5386a23355681c43cfbd2f2ccfe4b16ed45324d0d7b5583487a9f302ee1e427 | 6530711 | 801985 |
| Wow6432Node CurrentVersion Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 18842e32896dd83b8aca4d5e1ac78c1f66b1d252479c0023cdd02f108c42c8cd | 5869492 | 37574 |
| CurrentVersion Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc | 3582224 | 58000 |
| CurrentVersion NT Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | d706314122bff93e0dbdf079f1d1904d2f00407f34a893487d70105b1dc5b9ed | 1901094 | 5592 |
| Potential Persistence Via COM Search Order Hijacking | Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien | Sigma Integrated Rule Set (GitHub) | 7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4 | 1831983 | 143092 |
| Wow6432Node Windows NT CurrentVersion Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 3e5fe19fbbb767b861e93022c3f95d25e1618fc86be75b05326ee57b2f75633c | 1741139 | 232375 |
| Scheduled TaskCache Change by Uncommon Program | Syed Hasan (@syedhasan009) | Sigma Integrated Rule Set (GitHub) | d62173552d7fce98c24a7040b784edf35cc6650d2e68ecf2d04f40c58d58cfda | 1545857 | 16571 |
| System File Execution Location Anomaly | Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f | 1510338 | 94939 |
| Failed Code Integrity Checks | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 134564d292d785dff102940b8a1ee06dba2d462c5fb852124b3771a49d7885f1 | 1388948 | 582969 |
| Hidden Executable In NTFS Alternate Data Stream | Florian Roth (Nextron Systems), @0xrawsec | Sigma Integrated Rule Set (GitHub) | 5be9da0a90b142239a3ff2819edf2283938855da3b4c80d63d8e6db63c2c4fe7 | 1386682 | 70423 |
| New DLL Added to AppInit_DLLs Registry Key | Ilyas Ochkov, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 6f134f381913ef9221138f615280ca41e252e823168d7d580ab6e713e10beca2 | 1164100 | 52 |
| Password Protected Compressed File Extraction Via 7Zip | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 22e867c244280c1d01bcddc8355c10d82b6c69577cd784cefbbe4eb5e7a82f65 | 1141288 | 329599 |
| Change PowerShell Policies to an Insecure Level | frack113 | Sigma Integrated Rule Set (GitHub) | 06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1 | 1104684 | 558022 |
| DMP/HDMP File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 67ee86b34b3617ea45dec0ef09b7a71a5f44f5c010ccc9139d92f49685996f49 | 1102439 | 198893 |
| Suspicious Outbound SMTP Connections | frack113 | Sigma Integrated Rule Set (GitHub) | 3659f9925f327ac0ba2be9b3c8c7240f432c4b62f162b846c10410fff320b6f7 | 935006 | 356 |
| Suspicious New Instance Of An Office COM Object | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffbbcedfb9a1fd41ebb288154c10cf5cf869eb25195708be30f8a9df74f411cc | 728099 | 593531 |
| Files With System Process Name In Unsuspected Locations | Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e | 672429 | 2777 |
| Suspicious Screensaver Binary File Creation | frack113 | Sigma Integrated Rule Set (GitHub) | ad081ff821748a3cd86b5954ef5c3d7d2a6602fe0b6e50ed47938b98bc184122 | 593871 | 4347 |
| Change PowerShell Policies to an Insecure Level - PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 5572c8188426269a10ccb41fc8e9c8445391ac38a0917621b0a1ee05ec99aac9 | 575401 | 235790 |
| Suspicious Get-WmiObject | frack113 | Sigma Integrated Rule Set (GitHub) | 1f7f8b1e9005dd4d64cb9d30ed53ee94f68fb96262fbd72f7a0266881149c79f | 570396 | 230933 |
| SCR File Write Event | Christopher Peacock @securepeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 7a463b569de43655b8e8cf5b970001d720c38abf81bce54ba71ad19765b096e7 | 527771 | 3769 |
| CMD Shell Output Redirect | frack113 | Sigma Integrated Rule Set (GitHub) | e77646c39db7fa011a5223aeb73c738046787fc7f62a99394e883d76a54341f7 | 512462 | 16506 |
| Execution from Suspicious Folder | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8 | 506687 | 19602 |
| Execution of Suspicious File Type Extension | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086 | 491777 | 22711 |
| Modification of IE Registry Settings | frack113 | Sigma Integrated Rule Set (GitHub) | 7ca43f2acf2c039e776af286dca2b5216d23967e6e8fe43dd5a5cc95f86e52e5 | 490110 | 24764 |
| Suspicious Double Extension Files | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | c9e528bd3557dc88b06bd5d2dfbadd96e24026bd2d890a2604febd2829c3146b | 460083 | 122 |
| Windows Processes Suspicious Parent Directory | vburov | Sigma Integrated Rule Set (GitHub) | afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535 | 414711 | 918 |
| Potential Defense Evasion Via Binary Rename | Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 686a5b6d5e098e507256a7207e9e4a237bb378c824f67f13ee0402525833b257 | 408252 | 49504 |
| Process Creation Using Sysnative Folder | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1dfbc92aba26dc597751f9cf42ff3eac446b827525d1a38ea6fb4141c9f9af01 | 403947 | 147764 |
| Rundll32 Internet Connection | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4725cdcf2dfdd90c3aa0d331fae77d6ac8021c254701744a01444af04e9a0e69 | 359912 | 48140 |
| Use Remove-Item to Delete File | frack113 | Sigma Integrated Rule Set (GitHub) | d9b2eb00753c3049fbb4ed4f7d88f29b65a0c50bec45ff4723b95bb637f8f83d | 358344 | 153681 |
| User with Privileges Logon | frack113 | Sigma Integrated Rule Set (GitHub) | 8919a871f4a52b7af785fab44b4665ab6a3637e6ebeeac0288df8a5012a48be2 | 350576 | 157725 |
| Python Initiated Connection | frack113 | Sigma Integrated Rule Set (GitHub) | e4d5f1be0673fa786cc8379c15338af08cdd11eed433bead9e801d6204d42a2d | 325787 | 78378 |
| Use NTFS Short Name in Command Line | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c0bf6ba71da9d0f13368b0f1281354c8f9b3d491845ea5902282fece277ec655 | 320267 | 9906 |
| New RUN Key Pointing to Suspicious Folder | Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing | Sigma Integrated Rule Set (GitHub) | 27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039 | 306827 | 9421 |
| Service Binary in Suspicious Folder | Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 71686ca6fd31ecd29454e2d39e38be5c971f96ad539e461b7d1d79b85f90182a | 304246 | 6485 |
| Common Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) | Sigma Integrated Rule Set (GitHub) | aa1c4ee10caaa9d521b34246c51e0c22c8af0a4b7fdb1cdd9faf1182ef6dd14c | 287789 | 874 |
| Suspicious DNS Query for IP Lookup Service APIs | Brandon George (blog post), Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 3a2766a08d32a855b604a786cddc0f76fee13e6ccd22e01d4878150f0ef1eebc | 285950 | 9418 |
| Uncommon Svchost Parent Process | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008 | 284862 | 1123 |
| Monero Crypto Coin Mining Pool Lookup | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0752dd4f3de82ada650a6c6ed1887cc940d8f55e130fec468ce0df9b2ec4ef25 | 270567 | 38 |
| Non Interactive PowerShell Process Spawned | Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | 1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f | 267123 | 32552 |
| Renamed Office Binary Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bb031bd9cea5bfc07d877d0deeef37ed046229fe8cb82202aefe3220d14c8626 | 251566 | 3378 |
| Registry Modification to Hidden File Extension | frack113 | Sigma Integrated Rule Set (GitHub) | e6d175111f1e8dfecb77e2bbe404bdaad31873a97477136b427187abb5d09a89 | 245770 | 177 |
| Network Communication With Crypto Mining Pool | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5f96c8ad390b56fba16309ec092ccde0290c7896bd2bfd7c49b738c77dc36bde | 241044 | 21 |
| Suspect Svchost Activity | David Burkett, @signalblur | Sigma Integrated Rule Set (GitHub) | dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a | 235921 | 352 |
| Vulnerable Driver Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | efe6f377eb5896688f0baa7d44db4fc8d0639fa43f0d3dbb262bde8a7eb7b453 | 231778 | 759 |
| Disable UAC Using Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 80708cad12d59acde6c91bdfbb0ed867ffd0538e97f962f2ffd72040a66ecb6b | 231258 | 715 |
| Service Binary in Uncommon Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a55e06a3fb02c5ab9e6338bc2b61d50ebaa7e4236c27862400b7633243f477be | 231166 | 9284 |
| Vulnerable WinRing0 Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6e6298fff951b11ea6aa772fe7d022e50af3068aa7254be68850f49e45e0ed13 | 229194 | 184 |
| Driver Load From A Temporary Directory | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 539dcb36e9155d97ed39c68182bde1733b86e2785cbef70586ce6a771645c425 | 221997 | 741 |
| Suspicious Microsoft Office Child Process | Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io | Sigma Integrated Rule Set (GitHub) | 6a6edfdea6536f74ea66bf73682ed52f4b86435793ed76ff38e3ab0523f029f5 | 219682 | 462 |
| Startup Folder File Write | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f | 219674 | 5451 |
| Suspicious File Created In PerfLogs | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a689c467d9cf931ad8d7fcb39456815daf9e5fb748bad72f1269eb6a8d64c5a0 | 213227 | 8 |
| Suspicious Schtasks From Env Var Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0533322c5c44794b71e761cd351a2459aad6e21ae95c9543d4c9fdb3c8fde6c4 | 211344 | 2029 |
| Use Short Name Path in Command Line | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 3c0434c2b9b483a1c7879404c2a80556dc54436bf222a970ca7131b1f30079f1 | 210625 | 26905 |
| Powershell Defender Exclusion | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7e416af5a1bb67fdbd2f30ae3f5da7f74583460b36546527c909c354fb5dcd00 | 203958 | 2418 |
| Audit Policy Tampering Via Auditpol | Janantha Marasinghe (https://github.com/blueteam0ps) | Sigma Integrated Rule Set (GitHub) | 33a4a18ae1a3802586c239be79075294541594b5b603c230af39618577e03fae | 201485 | 32687 |
| Stop Windows Service Via Sc.EXE | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dd1cc05e1a1d9416b75088f7ba5586374900fc625479abf320585293e9e21639 | 197673 | 3234 |
| Process Start From Suspicious Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 539d657ea3dfb52773cd8616d93fd64ba9112091984d1c3eb044c6e5dadd2c5c | 188309 | 53171 |
| File Deletion Via Del | frack113 | Sigma Integrated Rule Set (GitHub) | 77ed185ff979a8d9206b5eed07bf6d5823529f713ed0ea19f2ef7a4a355568bc | 184532 | 3696 |
| Scheduled Task Creation Via Schtasks.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790 | 179857 | 2482 |
| Rundll32 Execution With Uncommon DLL Extension | Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou | Sigma Integrated Rule Set (GitHub) | e7856bac967038b016efab8e4f315a2f16ccd6ba62f20d73df0ad3826fe654a3 | 177806 | 23548 |
| Potential Persistence Via COM Hijacking From Suspicious Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c64a541b46d176ef960f347f5e86ee15927eb668f86a5f9f6260bbc94b1d2f3a | 177370 | 107166 |
| Scheduled Task Created - FileCreation | Center for Threat Informed Defense (CTID) Summiting the Pyramid Team | Sigma Integrated Rule Set (GitHub) | 3418c5891b9d0a4ec974985072278b35b0a0f0254118d766d07553a547284b87 | 174884 | 7554 |
| Suspicious Network Connection to IP Lookup Service APIs | Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7b06f86400ae084ca05c7e2cefe70b8ea4910b6196d969ae516b9d5d1c99bfe5 | 166776 | 10742 |
| Bad Opsec Defaults Sacrificial Processes With Improper Arguments | Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 53f67594c85a67cef198b525b556658fa4e46d1e49901472adbc8b7f0ba475a8 | 164944 | 5577 |
| Disable Microsoft Defender Firewall via Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 4d91cff1255532aacd25d7b82261d545afc7d30837d1643a0dd2c4617aec5865 | 160592 | 41330 |
| Remote Thread Creation In Uncommon Target Image | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ea7ec9e92c165a4cef023fd658ef72279f03378ab53f4481eb973ecb2171b193 | 150989 | 1123 |
| Suspicious Process Start Locations | juju4, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 7776601555567f764fc3e22722bef1fdde521b5bdff9fff38f9031e9a3f7ce54 | 149055 | 85 |
| New Service Creation Using Sc.EXE | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 9821e08a6d71e81d42d38e95e4265f2df05a9e00e70a874249d812f403a8c789 | 141341 | 1082 |
| Suspicious Call by Ordinal | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b7eb83db20f6f8b5f580e107c2b6816110a31869a94de5e2797d917335d9fbc0 | 138538 | 90830 |
| Classes Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | acb1ec4240103205f334c8fe26431568a458950f7b86b59652440e1de4dc0449 | 131723 | 4238 |
| Suspicious Schtasks Schedule Type With High Privileges | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e36b579d4bc4ef49ede1d82dd08ec1cba660d105c6f037d12ecf79b434617e88 | 128148 | 3710 |
| PSScriptPolicyTest Creation By Uncommon Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d6ff8dca8c8ea9fa750972dd032542746369179e3aaceccc1c3f2cc2a35f5d25 | 127698 | 2864 |
| Stop Windows Service Via Net.EXE | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5b84c64b930b911c8206935d6c61b2a128347a34d495da3ea3523cdf5397c3ef | 125541 | 35021 |
| Suspicious Process Creation | Florian Roth | SOC Prime Threat Detection Marketplace | f09d5248ed8fc1a93251158bfda71f8144ccaf37fa922416ccd897498bff7c55 | 125405 | 3415 |
| LOLBAS rundll32 without expected arguments (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 2fd6d2b16365ba7157eee4934b406ac7d530b4ec62cc1b45c69ee4f07989f139 | 120420 | 6949 |
| Communication To Uncommon Destination Ports | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0cbddc72cfb3b9426508057fbe3e7b0ed88990983f04ad15f9685e585ce7ae66 | 114782 | 702 |
| Rundll32 Execution Without CommandLine Parameters | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 87574dead19ceb246e10ccb4cb4fd5009c71c46de0d77965d2170bfafc2c3b14 | 111007 | 1146 |
| Powershell Create Scheduled Task | frack113 | Sigma Integrated Rule Set (GitHub) | 60d527fe5a592cbe8e98428d1412743b909d5625ec8bc91d20e8b6ee8b36db20 | 110205 | 37923 |
| PowerShell Initiated Network Connection | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b5e9f310ab6a8611ea1b7b788e712f0f6bf452c3092675694cf6256931874071 | 110194 | 36660 |
| Schedule system process | Joe Security | Joe Security Rule Set (GitHub) | 02b55b29ddf740930b68c311ca7cd59354f8c35ceda86d09a3fb06f08b760857 | 108896 | 223 |
| Potential Persistence Attempt Via Run Keys Using Reg.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a | 108639 | 2537 |
| Suspicious Add Scheduled Task Parent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 66d80afb92c9db3881829096827fcacc7b8a697c3ceeb3318163ce83367f394b | 107513 | 2706 |
| File And SubFolder Enumeration Via Dir Command | frack113 | Sigma Integrated Rule Set (GitHub) | 7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105 | 106817 | 9697 |
| Displaying Hidden Files Feature Disabled | frack113 | Sigma Integrated Rule Set (GitHub) | a264eb1ecc5d771f6348e8cadd3e5508323440b132da9cd70e3c579354eb50b2 | 106167 | 98 |
| Suspicious Double Extension File Execution | Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5ead81ee12f2097316af35270a1ac0f8623db054349c52ef366fc42a4b7d2de2 | 102683 | 108 |
| Suspicious Windows Service Tampering | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 941abf5111763a135c88b4f6437475eb4c99e8d4c3ebdb4b74e30321695b0fa7 | 99279 | 8594 |
| Office Macro File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 27801b0f98df1ce7686b07b693c59e734c47189ef3db24ea1093f6f00ff2ed67 | 97420 | 73625 |
| Suspicious Script Execution From Temp Folder | Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 96d2c399118cab5d249093badf4a85f0ef1889872b0191bdf131bcabc0994681 | 97196 | 13553 |
| Python Image Load By Non-Python Process | Patrick St. John, OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 433ecdf8469138ce151b9e283d8e892c2aaec8d0aa9a1f631efac7da11cb1ba8 | 96458 | 6996 |
| WMI Module Loaded By Non Uncommon Process | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | fb092b3aee3feb316c048a1249e1ac9639a63cac318318afd45bf38887b31b0c | 96217 | 11031 |
| Disable Windows Defender Functionalities Via Registry Keys | AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 387844917f76d926b5dde6a796bcdb423a54d6df4ab736e7752fb73dc931e400 | 96059 | 725 |
| WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript | Michael Haag | Sigma Integrated Rule Set (GitHub) | 8b884f70bb47a8e06faf8f548fcfef77fe3802d22c310c4cdfa01f35cb030bac | 92372 | 21445 |
| Potential Product Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 04969458bf2b005665d6b29fa937ccdfac26516eac5746c80ed78581033094c3 | 92241 | 3205 |
| PowerShell Module File Created By Non-PowerShell Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b8c95f5909e68be942c69ab250a3b47557e33b2d1d582cd72e665210efeadb8f | 90059 | 290 |
| Floxif Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 98d1e74d54870538bf25e55522e0e31814ceaa32679120ff66addce78f4c461d | 86549 | 1849 |
| Potentially Suspicious Desktop Background Change Via Registry | Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) | Sigma Integrated Rule Set (GitHub) | 5a6c8cc8cab203cf6f2333e64a60bd47d75fb197ebae1de9ed494061e525a58c | 86282 | 149 |
| Potential Dropper Script Execution Via WScript/CScript | Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2020feadc9b3cf47558c219948361d9d3eb5347af91135f21bf711f6032bc817 | 85982 | 21795 |
| File deletion via CMD (via cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f9333cf120369debd56e4e238fffa10bdb2a1497c11e08a082befd02f9f3bdf2 | 85279 | 36058 |
| Set Files as System Files Using Attrib.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 62ce96b648991749ff9b9ccc7dafa1d8da64d6490e9f469683f00fa248ef9336 | 82439 | 1330 |
| Winrar Execution in Non-Standard Folder | Florian Roth (Nextron Systems), Tigzy | Sigma Integrated Rule Set (GitHub) | 99b7b3abf0ce8f702d10cc3f120ed16591df3c13fbda30b46e0623d93cdac439 | 79823 | 13709 |
| Net.exe Execution | Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89 | 79558 | 13720 |
| Self Extraction Directive File Created In Potentially Suspicious Location | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | af7095d7af79bbd5d71771ff686f1cfff97b7c8e0f56cb180a29d9eba0df9b1e | 79459 | 57 |
| Chromium Browser Instance Executed With Custom Extension | Aedan Russell, frack113, X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 37d47e5fc375cac096ef3e0d98b28b26d7e9e45f3b65373c8e1d5bb6d8e22b7e | 79312 | 30755 |
| Suspicious Run Key from Download | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c | 79249 | 861 |
| Read Contents From Stdin Via Cmd.EXE | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f | 79053 | 1342 |
| Disable Internal Tools or Feature in Registry | frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec | Sigma Integrated Rule Set (GitHub) | 86c36bfac526414900d3b4c6f66d0b7bb2cf11a511b7ad65c486685dc8d4d05f | 78031 | 487 |
| Windows Binaries Write Suspicious Extensions | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6676ee2bf136155325337ad27ca431e57ff815b4fbddfaf94908c8ae566aa5b6 | 77356 | 2304 |
| WmiPrvSE Spawned A Process | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22 | 76962 | 92 |
| K8h3d campaign (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2e5a93340aede0794b671d3b3d020fb719a3985e78a96970d36c5c326f2fef34 | 76031 | 16930 |
| Unsigned DLL Loaded by Windows Utility | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 683818f24875a562c0b792edd4183d333b6b0b284ca8a88cc47fb2c9ae5b1473 | 72592 | 23434 |
| Windows Defender Exclusions Added - PowerShell | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | cf863dff3d564c975d28d336cb7981fcd6956e6fb9afbd2794f600b130e83171 | 69453 | 831 |
| HackTool - Windows Credential Editor (WCE) Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8c09b5d8aeac44d4ad6b76333ab77edf4453d9c7f7db00d879591acfc9f98479 | 68694 | 16 |
| Hardware Model Reconnaissance Via Wmic.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cfdf6fdaa1841541e46a9c7701402dd4782cd08947692cfdcf86532c87ea3dbc | 68662 | 2427 |
| Suspicious Execution of Taskkill | frack113 | Sigma Integrated Rule Set (GitHub) | cd06da2f3978bdb24b3f3c8f83c7df917a910c6b29921d0e375e418f340d8f3d | 68186 | 9888 |
| Rundll32 Spawned Via Explorer.EXE | CD_ROM_ | Sigma Integrated Rule Set (GitHub) | 63bcc6f98c4a5594772428a329b433392d70f18a841926328607f303f3d782a5 | 68043 | 791 |
| Potentially Suspicious CMD Shell Output Redirect | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4 | 64556 | 4712 |
| Usage Of Web Request Commands And Cmdlets - ScriptBlock | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf | 63890 | 10085 |
| Oilrig | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c01baa2540aeb8f23c067318100db0ab3618e37acf7e219372e750398969c606 | 62415 | 36263 |
| Hidden Tear Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6416d92c1d6493914510053de27fbb52201520df66cac075111034d37aac4194 | 61984 | 24960 |
| PsiXBot Malware behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 63753d667c596fd59cca6de277c7a4f8062dd47fb2ae19a1efdda0cbb8d7692b | 61973 | 24950 |
| Orcus RAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 870bd93000dae7789508610f80cf9f2862f3b3e9fefec9b3cba32617a75799cd | 61970 | 24950 |
| Swisyn Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 173f49a095aef2bc0480b5f8a8ae6c2d0e4125f9096d618a3865346b34d726fa | 61887 | 121 |
| CurrentControlSet Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 5bddd3dd0944d27f3ff8b03e8a8a01f5a9d14540ea1779da5683fe601557a364 | 57885 | 1221 |
| Dot net compiler compiles file from suspicious location | Joe Security | Joe Security Rule Set (GitHub) | 76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918 | 57328 | 14959 |
| Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location | Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c01e7ec6f86a4d6c135bc43d1a4e4a012bf97c07c8bb4238242fe32f06ea6d09 | 56801 | 183 |
| Automated Collection Command Prompt | frack113 | Sigma Integrated Rule Set (GitHub) | 511fcd38b1cd4057f3b3568707032548bac72899a4b3c932f3614c6d89d417bd | 55873 | 10 |
| Potential Dead Drop Resolvers | Sorina Ionescu, X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1aa956a1fb5e5e7293864d3c9941d7469eae4a2c837614bdc2a6a741671526ae | 55224 | 2422 |
| PowerShell Web Download | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dac677b84d14788387f1c92fd6733396974f070639fca6be1bbf50df44b426cf | 55041 | 9607 |
| Dynamic CSharp Compile Artefact | frack113 | Sigma Integrated Rule Set (GitHub) | 764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2 | 54262 | 7703 |
| Office Application Initiated Network Connection To Non-Local IP | Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | cfd44c3835317e846b18021a9060f4b9b011294ec53eb3ac1fad568abeb37922 | 54151 | 46931 |
| LatentBot malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f5653d51811614b162ab7311b24033c85bf166bbc322d83f4f72d0b9a366a01f | 52204 | 19572 |
| Suspicious Execution of Powershell with Base64 | frack113 | Sigma Integrated Rule Set (GitHub) | eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144 | 50868 | 1029 |
| vbc.exe execution. | Den iuzvyk | SOC Prime Threat Detection Marketplace | 7f5e752d29abb27ef7222f5171fe6719092aa64cb1a11187e75e3efd277216b3 | 50282 | 159 |
| Use Short Name Path in Image | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | a913250de417b0235e4fbff14e07a25585d216d2000ee8ef314227987aef7eb0 | 49811 | 11969 |
| Shade Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d8f0141497fc47a78fbf41591174881fdf0e85f2937b08befec5c6273f8867d2 | 49059 | 160 |
| Drops script at startup location | Joe Security | Joe Security Rule Set (GitHub) | 196a9c9222e3b003ccb0caadc29931d851129ba863f99545299786a032864d12 | 48898 | 392 |
| Hiding Files with Attrib.exe | Sami Ruohonen | Sigma Integrated Rule Set (GitHub) | 5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b | 48581 | 840 |
| Direct Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b | 48457 | 2449 |
| Suspicious Executable File Creation | frack113 | Sigma Integrated Rule Set (GitHub) | a3e8f1f39ee9f212f863aa80fb48e783e942fa1db242be073c5647888fd6b094 | 47056 | 897 |
| Run Once Task Configuration in Registry | Avneet Singh @v3t0_, oscd.community | Sigma Integrated Rule Set (GitHub) | 0e31671617efd7f7d79bdc60259af085a8ceadd59619e28e3f3d57d90ed1501d | 45177 | 122 |
| Modify User Shell Folders Startup Value | frack113 | Sigma Integrated Rule Set (GitHub) | 0799d32e125d6df849ced4dc75e232438c118a816477d3f80a390cbd8b4d07ef | 44681 | 81 |
| Suspicious DotNET CLR Usage Log Artifact | frack113, omkar72, oscd.community, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | d3c65dba4df23fb384d566a6730f08957cd6e906ab86db5a042c01a5c4258230 | 44289 | 21118 |
| Change User Account Associated with the FAX Service | frack113 | Sigma Integrated Rule Set (GitHub) | 26eb124f6709979c69bbb0025f3a401c81cde2ba2f83098c32504f896490fc2d | 43774 | 0 |
| Usage Of Web Request Commands And Cmdlets | James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 | 42835 | 7693 |
| Sysmon Configuration Change | frack113 | Sigma Integrated Rule Set (GitHub) | 953121a751fbc01b581e57dfbcfb08d3f714fa9df54e4180dfb7564c3b2e3153 | 42786 | 15957 |
| Potential Binary Or Script Dropper Via PowerShell | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bda626dd3bfb65bcce23cf31a18f15b58628dc48b2bb5cd9fe5f9ea5f9a3cc8c | 41986 | 2290 |
| PoetRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a9e98f5066d90fefc6c08a2a98baaaeecc9dcfccf65c96170128a898353b6d50 | 41725 | 30413 |
| Suspicious Non-Browser Network Communication With Google API | Gavin Knapp | Sigma Integrated Rule Set (GitHub) | 6094a7d0c599a4dfac3b49ed5776afacc4a66b1a643b8aa31dce51c8f32f8704 | 41217 | 27453 |
| Use NTFS Short Name in Image | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 53658db80063ea16a40c90c24fa4cdb4a146dec6685cf48c0167318df2cbe20f | 40762 | 4329 |
| New Firewall Rule Added Via Netsh.EXE | Markus Neis, Sander Wiebing | Sigma Integrated Rule Set (GitHub) | 7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112 | 40392 | 2580 |
| Regsvr32 DLL Execution With Uncommon Extension | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37 | 38653 | 4062 |
| DropboxAES RAT (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8c558244a29064b6842314ce986116d2007b1087f6f8bb45ae883911d0155549 | 37828 | 15876 |
| Windows Defender Exclusions Added - Registry | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 795fba906ef1026c4e4d4ae583b085f3f640182a288987bf4d43695ea7e62992 | 37701 | 181 |
| Suspicious desktop.ini Action | Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) | Sigma Integrated Rule Set (GitHub) | cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829 | 37487 | 1500 |
| Scheduled temp file as task from temp location | Joe Security | Joe Security Rule Set (GitHub) | 90af0ea1f6d871f169dfb41b18545bf456f980c5d75f60f1293c34f071f6a31c | 37385 | 198 |
| Amsi.DLL Load By Uncommon Process | frack113 | Sigma Integrated Rule Set (GitHub) | 839b8da98cb18a93a4c803f0e372af5098133357d4e2c35fd9f75cd01bbd43b1 | 36948 | 3931 |
| Shell Open Registry Keys Manipulation | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cd6c2801be2f14154f9616435303948eacedd79025bd0646cb3c34bb536b7cab | 35788 | 42 |
| Stop Windows Service | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e | 35371 | 4829 |
| CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | c3e407003db6c8b95e5a7dcbea08bddf8b53b265400c2feb32abfa523336257c | 35152 | 44 |
| Registry Disable System Restore | frack113 | Sigma Integrated Rule Set (GitHub) | 39ac4b0484423463b1d746fc5446062ea1299bec08a2dd2bc058efcd9c06f2e0 | 35063 | 18 |
| HanaLoader (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 38853c8efaf750ffd744961ebcbeb037146acaabb9ca85c445af59f87e98e44d | 34827 | 13642 |
| Uncommon System Information Discovery Via Wmic.EXE | TropChaud | Sigma Integrated Rule Set (GitHub) | 0546c2d1b6847c71b54cd4de2f5363edba0cdf02eb90da287ec9c110d3c4af30 | 34606 | 564 |
| DNS Query To Remote Access Software Domain From Non-Browser App | frack113, Connor Martin | Sigma Integrated Rule Set (GitHub) | 210890087c5c0874ddc8155130ae1218d789f501e70a75ad47c71bbbc76004af | 33406 | 9332 |
| Suspicious PowerShell Invocations - Specific | Florian Roth (Nextron Systems), Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc | 32975 | 479 |
| Script Interpreter Execution From Suspicious Folder | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 92acfd50d9fe4d995d6998a5346e4e031ea037d422458bb4f74555a52ffc886c | 32298 | 5522 |
| Suspicious Network Command | frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | Sigma Integrated Rule Set (GitHub) | 76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57 | 32036 | 4134 |
| Tamper Windows Defender - ScriptBlockLogging | frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c14e1f7f13c2bd7f209d1a9b75c7c313606e7e245601bf31765f2770c858ce09 | 31858 | 207 |
| Windows Shell/Scripting Application File Write to Suspicious Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 248820e948efae04f89b524348c8398f0b278befcaec4fafddf73e9c5dda0353 | 31724 | 328 |
| Service StartupType Change Via Sc.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b55af83c751d2c7bca8dbba245a97017e34109bff34fd50b02f60a91111ea703 | 31443 | 4800 |
| Suspicious SYSTEM User Process Creation | Florian Roth (Nextron Systems), David ANDRE (additional keywords) | Sigma Integrated Rule Set (GitHub) | d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73 | 31306 | 204 |
| Compression Utility Passed Uncommon Directory (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | f4fe24c510771cfebac8ea12b6e86858e92ee0807f17f8dd0e23e2dc5e1b8049 | 30633 | 589 |
| Start Windows Service Via Net.EXE | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 3edfb66bbbe5056c7df0064ed6164a68632d8d476ab015091e0e33f5159d9052 | 30301 | 5864 |
| Windows Defender Real-Time Protection Failure/Restart | Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update) | Sigma Integrated Rule Set (GitHub) | 300832dd5414e83d23f6791c1f960c07191eea49ca183cc0ce1230b6c777f565 | 29836 | 16334 |
| Dynamic .NET Compilation Via Csc.EXE | Florian Roth (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7 | 29572 | 4544 |
| Use of W32tm as Timer | frack113 | Sigma Integrated Rule Set (GitHub) | c36744b5f28fd16a3d12551b5ab3040cda78b8771cefa8acaf2dbdd269e4af2b | 29049 | 3849 |
| ADS Zone.Identifier Deleted By Uncommon Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 43c6ce8bdbd683e1a7f4fb9b49a3a8236621ff32e67fdf0987c5770097ef376c | 28493 | 3577 |
| Process Reconnaissance Via Wmic.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | c64577166c54aa12e6fafe9322a15fd35e2e359c52a4b545c470853d848557ec | 28415 | 2114 |
| CoViper Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 17affcf8751489416a8bdd1c7819271220bd9bdd11f595b644b2966c3e3b1b80 | 28395 | 2056 |
| Potential WinAPI Calls Via CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7d53de0fb9c4ee79b8ab06605cd3a8faaa400a586d577c9a7d692f059a3ac78c | 28240 | 17177 |
| Capture Wi-Fi password | Joe Security | Joe Security Rule Set (GitHub) | 2e31c80fe0affb3753d7456883282043c5795a0abd5906589d7b67f0eb04076e | 27997 | 452 |
| WMIC Loading Scripting Libraries | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 022ee32433f415a35cf214d689b7c20ea4d29ed50a5be04595877663d8128997 | 27648 | 1699 |
| Suspicious Volume Shadow Copy Vsstrace.dll Load | frack113 | Sigma Integrated Rule Set (GitHub) | c79aa27a6bc774dc430e35f8d05d743b7bea3638a8776f9e8c3ba8f7188a856a | 26460 | 7609 |
| Suspicious Startup Folder Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3396956bf20db86e217299b41f051d8e3807a72f92450b595e46cc0a7e70800b | 26369 | 375 |
| Dllhost.EXE Initiated Network Connection To Non-Local IP Address | bartblaze | Sigma Integrated Rule Set (GitHub) | 0469df5507574c65082f62410c1cc9e493ba1daeff82396b38a60516c6f4187c | 25692 | 5058 |
| Suspicious PowerShell Encoded Command Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e | 25639 | 348 |
| Registry Persistence via Service in Safe Mode | frack113 | Sigma Integrated Rule Set (GitHub) | 876ae5900040fc2ad5fd69d8477e94869d5e147f2af5c4456d0b099844c20bb5 | 25576 | 5831 |
| Msiexec.EXE Initiated Network Connection Over HTTP | frack113 | Sigma Integrated Rule Set (GitHub) | 4a7e3b52f438365db6b61867f157e3bc434b40fb9916eba681bb857e7a1041ee | 24920 | 11856 |
| Sakula RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1c2774ed7c4cad91219d007aa7101b09d19b442613cd2e3fc453726a7abd1b1a | 24816 | 11 |
| Remote Thread Creation By Uncommon Source Image | Perez Diego (@darkquassar), oscd.community | Sigma Integrated Rule Set (GitHub) | 5242ae9a7c0bb9967f443e598ba4d27edfa69ca76b6fbb7ad0d569f7e9067668 | 24646 | 86 |
| New Custom Shim Database Created | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c028d3fbfe3db756b5129f320616cde63b9929b02e91fb76c1b12fb726eafb71 | 24565 | 52 |
| Explorer Process Tree Break | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber | Sigma Integrated Rule Set (GitHub) | d44e9b6572a6737a34b18fd89f757237729293ed9959e5be7dd05d63e7f78622 | 24541 | 1981 |
| Suspicious Add Scheduled Task From User AppData Temp | frack113 | Sigma Integrated Rule Set (GitHub) | a219a0bf27f7f5f1acdc1fbdd83ff3d3f3711edd5b8111b967d8eb1575aa3b85 | 24196 | 146 |
| Potential DLL Sideloading Of DBGHELP.DLL | Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) | Sigma Integrated Rule Set (GitHub) | 601376b375400e92dd2beb3ddd52c4c8151878f99ed7a406718b7672b4e3722f | 24164 | 3952 |
| Computer System Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c8e910a6a612d2b2556bdcc91dfca15a43385b8571e490ed29c46ef1a3e5e144 | 24078 | 2208 |
| ChChes Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a515be8db5d265bf43ba29f21c53f4e482fa0f7db4acc10054e85bc0c516a7ba | 23602 | 2637 |
| Suspicious Execution From GUID Like Folder Names | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 08e7088e12bfe2fa4d351a66754c13a0aa7ea7b70fb40c21ce782ac7321e54e4 | 22917 | 13212 |
| Suspicious Tasklist Discovery Command | frack113 | Sigma Integrated Rule Set (GitHub) | 54b43d3a279bdcbcca22abf416f8b57c691f2c84a9363507162ca472e30ab902 | 22497 | 4402 |
| Suspicious Scheduled Task Creation via Masqueraded XML File | Swachchhanda Shrawan Poudel, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | b0f576aead127b964909d75f26e113ee55e88fb8d2bac31fe4a5c12337b4f327 | 22346 | 228 |
| Powershell Defender Disable Scan Feature | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 452d2469c7cd2c2065eaf39a671afb28d62803ea89003d82491c0e02559fcb9d | 22334 | 90 |
| Execution Of Non-Existing File | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d2b7b95657238f7c078b9a6a17689a6184c1cf349ffb183b174ad2bd84681b08 | 22242 | 1393 |
| Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 98a4dc6e84bd2b7671587aaaaa8a8ae8fdd2f8d8880705d12e11f767c77df7c4 | 22115 | 437 |
| Powershell Detect Virtualization Environment | frack113, Duc.Le-GTSC | Sigma Integrated Rule Set (GitHub) | 6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387 | 22097 | 4229 |
| Suspicious Eventlog Clear or Configuration Change | Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 | Sigma Integrated Rule Set (GitHub) | b8f19be4c7bf862dce0d4d1f7885f2207ddf93b3a33d8a6e16f3968c4fbb6491 | 21936 | 3928 |
| Load Of RstrtMgr.DLL By An Uncommon Process | Luc Génaux | Sigma Integrated Rule Set (GitHub) | 7d0d3be8fa405f5e34c2e0cf9eaa345cacd60eb5244b50b23dc54c4785bc7512 | 21850 | 3323 |
| Suspicious Encoded PowerShell Command Line | Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community | Sigma Integrated Rule Set (GitHub) | 09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425 | 21657 | 261 |
| Powershell Suspicious Win32_PnPEntity | frack113 | Sigma Integrated Rule Set (GitHub) | 7cf1e08df2c1e71b9ecbab0ba652d8d7adc890f53db8c630b859d32064f3eb3a | 21506 | 3651 |
| Cscript Visual Basic Script Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 140aa55cb94f2ee1de560a395631283b557b8f771117a7991289298e2c6e7f6e | 21446 | 3633 |
| Net WebClient Casing Anomalies | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b81c8afee92062579f4f19ea901c1194542107857913a32a13108debb721c71 | 21433 | 222 |
| Potential Maze Ransomware Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d807dbfa78ad565695bdfaa5793858aa25a153091a49b554975f48182344c78f | 21193 | 0 |
| Network Connection Initiated Via Notepad.EXE | EagleEye Team | Sigma Integrated Rule Set (GitHub) | eebf53f371a18d7f8d6992a935d2fbfe811f3d78552949a0597456693cffd553 | 21043 | 4 |
| rundll32 run dll from internet | Joe Security | Joe Security Rule Set (GitHub) | 232de5bd44720ce2fb34b305f8385e685f63ee5e14d8845368072b2fa100a5f6 | 20926 | 15145 |
| Suspicious File Creation Activity From Fake Recycle.Bin Folder | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 51a5b51db51679c45a7aea23d8e25f242e096a01ad35754b45acf5da3ec98440 | 20735 | 28 |
| Windows Defender Service Disabled - Registry | Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 5800379600db7e280b56236f291d8f474f097bed4c21c02367049347a8febc40 | 20338 | 93 |
| Root Certificate Installed | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | aaa442da8065368308d21225f195c966f7aacd66f4a7703b37f095739a0752d4 | 20287 | 3519 |
| File Download From Browser Process Via Inline URL | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d67139d73a6d7369e526a363923c3f504c081ba52a8f8556080f518c4302090f | 19815 | 4592 |
| Office Application Initiated Network Connection Over Uncommon Ports | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 338327c7da2a9fd3fa20080c302384046430050cf2eb53403c7334a8bc26da19 | 19747 | 14311 |
| Suspicious Volume Shadow Copy Vssapi.dll Load | frack113 | Sigma Integrated Rule Set (GitHub) | e3c2bad5a5af60244d315d33a3dc0534c602553aaeca2a895ba4ef848a637abb | 19679 | 5322 |
| Suspicious PowerShell Invocations - Specific - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197 | 19588 | 276 |
| Suspicious Process Parents | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 339db70fcafbc2231425e99a4637ca5513d5eadd2f7807a2ad8bc9123ec81129 | 19192 | 22 |
| Suspicious Windows Update Agent Empty Cmdline | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bfc362a89797a5fb7c7a15aee27b5c62127fff278db59f8dad27390ea34e3e1b | 19185 | 21 |
| Potential PendingFileRenameOperations Tamper | frack113 | Sigma Integrated Rule Set (GitHub) | 3b132597acd67d1315d83f5f329eb2db40a281a5c93df8881e681ba8d6af5a59 | 18813 | 9195 |
| Startup Items | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 80c9078b4f0a21412506961251c7253e037afc83c8a88cd362377082d1efaa30 | 18720 | 16310 |
| Potential Suspicious PowerShell Keywords | Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup) | Sigma Integrated Rule Set (GitHub) | a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d | 18359 | 514 |
| Potentially Suspicious Rundll32 Activity | juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0d7b38274ada42870a9b5fe59433cc701b21c18ef543b8c653d2e5dae0f93c0e | 18153 | 1478 |
| Windows Shell/Scripting Processes Spawning Suspicious Programs | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422 | 17920 | 622 |
| Suspicious Execution of Systeminfo | frack113 | Sigma Integrated Rule Set (GitHub) | f2a81aa24c1d19a09711179a71cd58fe057ab277cbef8632cc6a9281d5cf87dd | 17884 | 1445 |
| Potential System DLL Sideloading From Non System Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e4b059c53908c7008669e834c3c05ad45881842235e14670eb30e91a8df736d4 | 17433 | 6034 |
| Execution Of Script Located In Potentially Suspicious Directory | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 444cf775e51f1f48a4f280cf4a392d9fa3244628404c303864ad4b00325530c5 | 17413 | 10437 |
| Sysmon Configuration Update | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 63576d1c84436ef61b9f2631071146cbf42394a36c3e1a2d0ce83bc2e7b2fcc7 | 17355 | 7966 |
| Access To Browser Credential Files By Uncommon Application | frack113 | Sigma Integrated Rule Set (GitHub) | 74ea3fde96df11352e7b3c70bce437f83f170b5677efeb447c7f33d001142691 | 16956 | 452 |
| Hacktool Execution - Imphash | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e5df091eea8e09dc9859059928ad9ae436f75c7bc67be324d1582e24fe627533 | 16491 | 46 |
| Imports Registry Key From a File | Oddvar Moe, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | d17374b215c7dec3cfb7a7588c3e1ba10e710be57c03928275fcfd3c65bd187b | 16154 | 1117 |
| FlowCloud RAT (TA410 Campaign) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 159df9b8abe4902ba69f24455a788a64edcec473e20be350469118e1c586299d | 15824 | 1069 |
| CLOP Ransomware detection (Sysmon) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 94b16fc40ce61b0527bd124b84d6a631649e579c2c571a3dc68d4f0f9ee4aa76 | 15622 | 5417 |
| Suspicious Chromium Browser Instance Executed With Custom Extension | Aedan Russell, frack113, X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5511a10e5fd658ddc15e8b7fa4c8cc7cd60289f6e54d703f50a9f3a8134ab796 | 15446 | 2482 |
| Potential MsiExec Masquerading | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 709fa572c6d4a06b81742c9cefd264b1debafc1f9b2aedc9798d5cb749d52458 | 15323 | 192 |
| Potential In-Memory Execution Using Reflection.Assembly | frack113 | Sigma Integrated Rule Set (GitHub) | 912f22774b3e6d5ee33f034551a616aae59ae320fe812cf9c2010432ca80df77 | 15179 | 1237 |
| Unsigned Image Loaded Into LSASS Process | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 41a3e620fba7b86366fe885ba1b20dbaae2be7596e2e9b194ab65dae5e4a7b53 | 15047 | 25 |
| Suspicious Program Location with Network Connections | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2 | 14925 | 845 |
| ServiceDll Hijack | frack113 | Sigma Integrated Rule Set (GitHub) | fb1acd0dbf62447f03607a7716d5d6bd489403a486bd8807beba004bab482bdd | 14884 | 645 |
| File With Uncommon Extension Created By An Office Application | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5c100e376f43b26c0279b6ecab437d35499a64f73cd9c1b180f62e840eebd2a6 | 14880 | 199 |
| PowerShell Download and Execution Cradles | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e88280a32f81c8575c3cb9b02910d867498fbf28ca75ca922ad991faa3a68879 | 14876 | 394 |
| Access To .Reg/.Hive Files By Uncommon Application | frack113 | Sigma Integrated Rule Set (GitHub) | 14975883a22bbc5b0ee6745b2bb5cecf6a97d5b3bc38e7550a98401292959bc1 | 14837 | 6986 |
| Pyvil RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1b78637b79c8dffe83e4631ca8812c2cab4799547d30fb65df21e42f1894053f | 14809 | 6648 |
| Suspicious New Service Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e9fe41f275cf8282c3e18ce1605f533249acb7b3762d23c128bd0febd22a085 | 14662 | 2412 |
| Script Initiated Connection | frack113 | Sigma Integrated Rule Set (GitHub) | d2ba63dcfd40541d69308865939969a6282a95c29b46e0eaeb0c39701b6aa2f7 | 14589 | 1104 |
| Nymaim Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a9d7fe3dd2aa50123d54b48a488447b37091616c00667ae7c459bf19dd1ad2e0 | 14561 | 24 |
| Office Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 0533bf39f662d089d6f317f51a9329a2865ffc0d84552c58c39a8d35672474a4 | 14545 | 9816 |
| Script Initiated Connection to Non-Local Network | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a | 14460 | 1078 |
| Suspicious Curl.EXE Download | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831 | 14439 | 2580 |
| Local Accounts Discovery | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c | 14093 | 2939 |
| Potential DLL Sideloading Of DBGCORE.DLL | Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) | Sigma Integrated Rule Set (GitHub) | fd3370668fc80cce04ee89dae971b4c8e5395a5e40e431348a67c8a75b708bee | 14078 | 863 |
| Use Icacls to Hide File to Everyone | frack113 | Sigma Integrated Rule Set (GitHub) | 2b816898a4d295bb7523cf3cf83af84a641b8f2a145e2ca8b12cdf2ac8193a13 | 14036 | 42 |
| Msiexec Quiet Installation | frack113 | Sigma Integrated Rule Set (GitHub) | 269369cff6a753f9bd7a50d72f15b83a86911e2d6d46e1a38561ac385481c372 | 14032 | 5054 |
| A Member Was Added to a Security-Enabled Global Group | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | ba8140e5173f7647dc01d2d1aae82bf84283f52c7aece9e9a61f7f5e75ffe53a | 13933 | 533 |
| Network Connection Initiated By Regsvr32.EXE | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | dc313eb40a68f81f4e6cc8b4658215600b2bac992cb67ea873d40ba70e41b7b3 | 13774 | 42 |
| Suspicious Service Binary Directory | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ecf07e5502e8c93b8a8359e6bde14af9098293d382223c0ecf59834a37cac953 | 13385 | 9 |
| User Added to Local Administrator Group | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 534ecedeba777d436d37888757fcae6c00842f791bdcb6c39d8c804ab3c6a535 | 13137 | 262 |
| Firewall Rule Deleted Via Netsh.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 052f94156672e1511386806889ab6346ea81a8f49f98a8610ce616ee7a9ae931 | 12927 | 3653 |
| Access To Windows DPAPI Master Keys By Uncommon Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ec1d4770fddf21948d437ee8ade88904c7b95601bf83cfe214687e2611dd530c | 12490 | 15 |
| Potential Product Class Reconnaissance Via Wmic.EXE | Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community | Sigma Integrated Rule Set (GitHub) | fc6236ee6917b72dac2442d623fbec008944e69e1788346494f1f98b38acb5c9 | 12279 | 374 |
| Credential Manager Access By Uncommon Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 24966e29f8ae02e09ad40f3d903269a0ead88427f40a35139eb4d628aa926547 | 12012 | 37 |
| Internet Explorer Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 11ecb99add36c59a082a478e7c117545e6404a0b28c77c007c135739df91a489 | 11744 | 1660 |
| COM DLL Loaded Via Microsoft Office Product (via sysmon) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 8f3c9743049559fb0309f2478f6d6c65e7de8ef0a27373e4c584779e3276979c | 11665 | 8034 |
| AMSI Bypass Pattern Assembly GetType | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0a84db82d1740ebcf2c704e4d71ef3e033441b714135baf3b4025983a8c4e14a | 11516 | 8 |
| Potentially Suspicious DMP/HDMP File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 098155535b5f140a45c1a07ea729542903d8e4bb81674f7e3a5636d6d121422d | 11286 | 6457 |
| Suspicious Msiexec Execute Arbitrary DLL | frack113 | Sigma Integrated Rule Set (GitHub) | 5802db25decfb533c2f29a2580aaef6b1d4833aade450592d1dc36e256141c3c | 11120 | 7203 |
| CARROTBAT Malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e5937a80eca18cdaa94adaf02b89a4af91bb9605d3236af13685c8b481d9b1b1 | 11097 | 2235 |
| Directory Removal Via Rmdir | frack113 | Sigma Integrated Rule Set (GitHub) | d0d48610cfc4076f9598a2787593e35702aa291f3772b3678c8025aacc26c35d | 11003 | 4849 |
| Xmrig | Joe Security | Joe Security Rule Set (GitHub) | c9f2b527fcecda6141fde1caee187052676355bc055141a8caa6c22482fca3ad | 10992 | 19 |
| Powershell File and Directory Discovery | frack113 | Sigma Integrated Rule Set (GitHub) | febfc891e8c04ffe16ce1a9eaf5731b0a321cf42be5c06aed06252ec31cdbb79 | 10956 | 5232 |
| Potential WinAPI Calls Via PowerShell Scripts | Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 6c44b18934e9ddd288d035d35a258c41fce2d5f5ebafc55ff866a95fb78db9c2 | 10954 | 1064 |
| BackSwap Trojan detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a5470af7af21c2bc99ebc438fe841b20ec62f530e6540dc01ce42deed3ffb1eb | 10732 | 2193 |
| WinSxS Executable File Creation By Non-System Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b98d05d95e8a26eef6f1edf143064928002638d3a45c7a007a16c7b3bb5a9cd7 | 10716 | 1 |
| North Korean RAT - BLINDINGCAN (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6bb61b38bbb774f185f535cafe7a2fc3b848377409dde9963a571d825562c79a | 10642 | 12 |
| Legitimate Application Dropped Executable | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a323ff5e5edb2d7bf37ac8071bd7e0943ac4d50e99adf03671a8b5bb0eac5cf0 | 10591 | 101 |
| Shadow Copies Deletion Using Operating Systems Utilities | Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b | 10486 | 75 |
| Malicious payloads that are hidden in fake Windows error logs | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e55945cd70c0ffa247fd76996326089548147e223588b2b6aeef053c1c0ce613 | 10414 | 2374 |
| Suspicious PowerShell Get Current User | frack113 | Sigma Integrated Rule Set (GitHub) | c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3 | 10405 | 6585 |
| Load Of Dbghelp/Dbgcore DLL From Suspicious Process | Perez Diego (@darkquassar), oscd.community, Ecco | Sigma Integrated Rule Set (GitHub) | 31e54e59e39fda87af874302c79fe8910fcd407edfed11f536cb042394e49c09 | 10160 | 7704 |
| Suspicious Msbuild Execution By Uncommon Parent Process | frack113 | Sigma Integrated Rule Set (GitHub) | 99aac26486266b4916c883cf9ec793784cff9e6617ed361b8c47f7972a4baf46 | 10016 | 79 |
| Potential Homoglyph Attack Using Lookalike Characters in Filename | Micah Babinski, @micahbabinski | Sigma Integrated Rule Set (GitHub) | f311f45a27e981db5c1aff6b1880679af30210f2426d026f442a886afec6ac05 | 9986 | 372 |
| Registry Explorer Policy Modification | frack113 | Sigma Integrated Rule Set (GitHub) | 767b140d3dd4f5df18244f9d3f3a79b259843572bf19ec0cea5f646e1f350c6f | 9947 | 149 |
| Suspicious Copy From or To System Directory | Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856 | 9770 | 844 |
| Stop multiple services | Joe Security | Joe Security Rule Set (GitHub) | 2319d1843957b572c6e41e1d83656e12eac1e5e75f59ac1ccc309c2b00e9ef86 | 9728 | 9 |
| Console CodePage Lookup Via CHCP | _pete_0, TheDFIRReport | Sigma Integrated Rule Set (GitHub) | 3bda98164bb253cb435c3bc30ce36f9f570b187e1481bf7feb1e9468422fd79c | 9663 | 2356 |
| Suspicious PowerShell Parameter Substring | Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) | Sigma Integrated Rule Set (GitHub) | 1929e853315b3b5398e0837b2b8928a28ae8eec0611ebb41efc5e6b33e78cd6c | 9304 | 702 |
| Suspicious Binary In User Directory Spawned From Office Application | Jason Lynch | Sigma Integrated Rule Set (GitHub) | fb4acb832d8776634f7ad5e60b2ae16c329118186cc8dcf04d1ce959185c6264 | 9290 | 9 |
| Suspicious MsiExec Embedding Parent | frack113 | Sigma Integrated Rule Set (GitHub) | f46fb5682ba3b26a58530a0f49196fd4253c14c4e64dd7069f21357e3d079509 | 9006 | 3940 |
| Browser Execution In Headless Mode | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 33ab0a6585e80d6608925e96cfd8ae0cbc9b1fde20f036215a29c04eff4548eb | 8971 | 98 |
| Potential Dridex Activity | Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 11ef2fbb89770dbec860f554810a4e34a33e1326589f9eaf562412ceba567f00 | 8850 | 97 |
| Add file from suspicious location to autostart registry | Joe Security | Joe Security Rule Set (GitHub) | ab2075510415e5fab5635dc30ecec20ea16d6bead9c4397297335c9520922561 | 8813 | 28 |
| Potentially Suspicious PowerShell Child Processes | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 2105a0eff0c693326dcb33bbdcfd768fd6c8825061ae9eb48d31703fabf241e5 | 8770 | 1449 |
| Sysmon File Executable Creation Detected | frack113 | Sigma Integrated Rule Set (GitHub) | 89e801c894097380321f8d053ed1de87b584d895d5b7de28ee9167d1e0aa90bd | 8742 | 2852 |
| Disable Windows Defender AV Security Monitoring | ok @securonix invrep-de, oscd.community, frack113 | Sigma Integrated Rule Set (GitHub) | 78a8ebe85ceee09aa63f018db033f8616308e95816c4f7429ba0bafe2d0995b9 | 8607 | 71 |
| Reg Add Suspicious Paths | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4ed42e9d011d5674f2f07c78f41b8a2bfd742ee689b7a57fce8316e002688075 | 8434 | 940 |
| Visual Basic Command Line Compiler Usage | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | 5cde8271bb36c24d7ac552a1d30127f3f00a08a681a90eff12e3eac68b72bf47 | 8281 | 18 |
| Interactive AT Job | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | c288d5891a082dd1f38d14b832960d7e1b88651dc301c6985be8e66b561bf95d | 8245 | 8 |
| Remote Access Tool - ScreenConnect Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 4e5183fbf4eb55f1facacd3e44e6d35245f2dea793693a25f292b52509cbdb72 | 8210 | 315 |
| Potential Persistence Via Visual Studio Tools for Office | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | c04f755b9283e9e31eead7707a061225ee4da75cf49c91823ff8aa1d7e026551 | 8086 | 5233 |
| Suspicious CLR Logs Creation | omkar72, oscd.community, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | a0cf7d21374ebc3567492775f48033b67b0a81b95521f405e5be52f2950f9d18 | 8078 | 3240 |
| Potentially Suspicious Malware Callback Communication | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c819b1c2210c6c76f29e7d15825b104bbd98de4d9561a6c86a8b158afd0d2be9 | 8056 | 360 |
| Tycoon Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c2a677a155b0fd75d813c22a6dc0d1632310c42fafb3c2d5cb08090c75ce491e | 7876 | 522 |
| Greedy File Deletion Using Del | frack113 , X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c1c4c35f46055951f3124f8f5791b474f919c9dee2a42d1e737590c5eb7169a4 | 7857 | 23 |
| Microsoft Office DLL Sideload | Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) | Sigma Integrated Rule Set (GitHub) | e48472e0a390541687c6ed6e14d37175a2e2eef8a82f796036fc7d9f7df9498c | 7816 | 129 |
| VBA DLL Loaded Via Office Application | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | 1c4b9974eadae6764e88b6287305d477f5d777a06dd5a75e4773cea197fb1b0a | 7776 | 7079 |
| RDP Hijacking. Last logged-on user changed. | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 13ed88b8063438c80d6eb6c7e9aeda38d201453d83fa949f65867ced46825db3 | 7648 | 3286 |
| Local User Creation | Patrick Bareiss | Sigma Integrated Rule Set (GitHub) | 8a5a3c45e4c0e75583d9be0aa76f935e9be8f878840cdddb49890be7a65180a6 | 7602 | 259 |
| Suspicious Process Discovery With Get-Process | frack113 | Sigma Integrated Rule Set (GitHub) | b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314 | 7570 | 3100 |
| Unusual Parent Process For Cmd.EXE | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516 | 7485 | 59 |
| Suspicious WSMAN Provider Image Loads | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 33e7351552f382831af6bf73d86054bced055e64df091f572c94e9fc9e9a2a97 | 7369 | 1076 |
| Potential Binary Impersonating Sysinternals Tools | frack113 | Sigma Integrated Rule Set (GitHub) | 8652ffc2b3174864b7f93e2652bbeaa97cba1ce3a0949c10a85ea086c2478680 | 7328 | 308 |
| Disable Tamper Protection on Windows Defender | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | bf1de3b61466c6018ee71be3f901fb544ddb30709a256ce88ddc19444b5a1ea1 | 7296 | 1 |
| HVNC Attack (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0643197645f9051600e631515cbe8f526e02ae4556e6125c8f9bf640dcc17849 | 7220 | 259 |
| Suspicious Powershell In Registry Run Keys | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cfe58f03c01bfef6fd133a3da09440cc5613a5dbeb310ee795cc443e18538943 | 6998 | 214 |
| Remote Access Tool - NetSupport Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 65cfc106cf4668ef2ff3c230ac24edd977515d2743358a7e4015e31ea26a4cae | 6947 | 101 |
| Powershell Base64 Encoded MpPreference Cmdlet | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f86d8f196029958699a0b36a9a1a254d7c1bfc594fd486ee04c1e4988965f3b2 | 6920 | 129 |
| Regsvr32 Anomaly | Florian Roth (Nextron Systems), oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 455818bf9dc4423de74cdfa396a0735e0fd29acee7f47632575decb468b11cb5 | 6904 | 1457 |
| Telegram Bot API Request | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8119b0f5e55bcc32efeebba677769c41f458947ed836a43326d94ce77e2a6a0a | 6901 | 56 |
| Schtasks Creation Or Modification With SYSTEM Privileges | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a9278f03bce6b217a82c054a78cc6ea5acfebb4b16cd25b7d6cd842bb1dcfd8f | 6777 | 1142 |
| Uncommon Child Process Of Conhost.EXE | omkar72 | Sigma Integrated Rule Set (GitHub) | 7b87fbdccf3c12011b709aab8b9bd4642bd61dc9880e0e1ce9ebb9901e2a3497 | 6743 | 127 |
| Oilrig | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 358d598d019422b994aa86b74a025eddf76f526b50d61f4163e79404bbe9ad0e | 6728 | 2595 |
| Suspicious PowerShell Download - Powershell Script | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341 | 6720 | 1258 |
| WScript or CScript Dropper - File | Tim Shelton | Sigma Integrated Rule Set (GitHub) | 858185cf49c680890b5a26787055bc3518a78b5c5f6fc2df09e5516b191cef8c | 6656 | 194 |
| HH.EXE Execution | E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community | Sigma Integrated Rule Set (GitHub) | b0b20b09dd98169c1af4e8643b69d1bbe0cb12c553056b15d64e45d7726ff1b4 | 6651 | 6150 |
| Powershell Token Obfuscation - Powershell | frack113 | Sigma Integrated Rule Set (GitHub) | 0328ed59c29ebeee509b67ed087523a3cbfc646542f343aa12f9b1bbd64324fe | 6623 | 3100 |
| Milum malware detection (WildPressure APT) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb | 6454 | 230 |
| Remote Access Tool - NetSupport Execution From Unusual Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0c574c15cc6c9a17edd7b81b15044dd26631d2a7f6c2d428c6d68d9816e6b84d | 6452 | 410 |
| PowerShell Get-Clipboard Cmdlet Via CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 405f59430cd2ef58f1b3387a7fc5708e7dd6da1082e96fe6cb359c46daa4e056 | 6430 | 143 |
| Path To Screensaver Binary Modified | Bartlomiej Czyz @bczyz1, oscd.community | Sigma Integrated Rule Set (GitHub) | 71c11c0cc84fa6ba12489ce6fb7a0c5729c809f47cf296aa025e7f514394f01b | 6340 | 259 |
| Start of NT Virtual DOS Machine | frack113 | Sigma Integrated Rule Set (GitHub) | 705bee7ec50dc3b36f21deb0d2cb6e19b1a84d8142bae256797827d59ddcd242 | 6233 | 277 |
| Suspicious Schtasks Schedule Types | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83e48c48a7932749737a7bd38f5caa95e168e9a37a1d0730ffa0349f567f2895 | 6150 | 165 |
| PowerShell Core DLL Loaded By Non PowerShell Process | Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 309cda68f6a1f23a3de3d6604cd71d89098ca2472c6cfaae572a5d4375389247 | 6115 | 645 |
| Suspicious comandline paramethers(shellcode in the command line) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | c6bf20aec5b9dd748265363c7d01846ca0a5fc666f1114770a8bb7f5e764e4e2 | 6053 | 5301 |
| Regsvr32 Execution From Potential Suspicious Location | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 49c4c4517c1ca707a5dfadad1b8db8afe6380c4546c944335aee3a1fadcc5542 | 5961 | 1571 |
| Potential PowerShell Obfuscation Using Alias Cmdlets | frack113 | Sigma Integrated Rule Set (GitHub) | c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e | 5939 | 3209 |
| Potential Defense Evasion Via Rename Of Highly Relevant Binaries | Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 6a0e84509806d4477d42410fb267c817a01015e3dcc33e48330f8db0ba9709da | 5794 | 233 |
| Uncommon Userinit Child Process | Tom Ueltschi (@c_APT_ure), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 91fdd3ec700c41d38dcb9127772f866ad831ade83c48c4131aee4842d77be561 | 5693 | 7 |
| PowerShell Deleted Mounted Share | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 7d4fc33c33fc31d17a2c9ee04cb6e1114c58cbeec3fa2b7cd4f5502b2d28d6ba | 5668 | 3180 |
| Suspicious Userinit Child Process | Florian Roth (Nextron Systems), Samir Bousseaden (idea) | Sigma Integrated Rule Set (GitHub) | 1170a97b19098b92c7fea421765b81d0cea10e0140d9fed3c4d0769718c4b248 | 5580 | 6 |
| LOLBAS conhost.exe (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | b29d2dfc7edb1018f0384c6a0606a6f59a25bb2e9e1ff8a0fa4bad79d7d4121e | 5504 | 114 |
| Suspicious Ping/Del Command Combination | Ilya Krestinichev | Sigma Integrated Rule Set (GitHub) | 2e58fcf707ea25a6c7465ae2a0d4b35ff302cceb7b8fde4ac5d3467d832e005e | 5440 | 358 |
| Valak Behavior (Sysmon and Cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 95388dc52565d97f01bb478463530fac5eb3a7197bbf17fccbd415b4a10a7055 | 5432 | 248 |
| Blackbyte Ransomware Registry | frack113 | Sigma Integrated Rule Set (GitHub) | afd6cd2469ae4639e99a5087deaf57ed3032b6c807da7fb2ff4ccb5eb58c3582 | 5394 | 294 |
| CredUI.DLL Loaded By Uncommon Process | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | d95ca36c302040f620589faab34078391fb9db19ee77118e3ad298784775d65b | 5353 | 2074 |
| Potential Persistence Via App Paths Default Property | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cef4d3e30776e7c2f6f9875e0ccd23b74182701da04f922481d50f37c50281d2 | 5320 | 1818 |
| Remote Access Tool - Anydesk Execution From Suspicious Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e8f71f8fe8e705cebda4bbb0636db89fdd3c7b9c2faebe19bac1e6d0d6db37c5 | 5314 | 1803 |
| Chmod Suspicious Directory | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 859cf7876f0c68da27f3e292a5e428393e9a8004af0c330fae9787dac43b7bfe | 5308 | 3912 |
| Suspicious Calculator Usage | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 379786e3d43f4df15525494f022a5e59f58acf961a0f2536f20ae374717a9fa0 | 5299 | 54 |
| Shell32 DLL Execution in Suspicious Directory | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fbd6086058f7f1742827e4bf39c6a7b3d7cc32120c2f2cd39a924363da2fe8f6 | 5295 | 2 |
| Too Long PowerShell Commandlines | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 4b2c1a09ad8532fd7bf380feea00e848eb5daf3d246d1f4dac0ef853f29bc01c | 5277 | 199 |
| Suspicious PowerShell Invocation From Script Engines | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b | 5242 | 254 |
| Remote Access Tool - GoToAssist Execution | frack113 | Sigma Integrated Rule Set (GitHub) | df5ad6e42247717e66029569fa91f85ff8a54a54497ee42527054193ce21bc6b | 5111 | 3751 |
| Remote Access Tool - LogMeIn Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 2d50b92426dd9dacf9cb8f8155e01c1358138fea49e2459c140ebd54d3e45990 | 5111 | 3751 |
| Suspicious Mount-DiskImage | frack113 | Sigma Integrated Rule Set (GitHub) | 8aa937de88282ab672836441edf50f760451a9112887ad0867753ab1b9fc5a4f | 5096 | 2969 |
| Scripting/CommandLine Process Spawned Regsvr32 | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3c839a03f4fc9d7988e0debb79087dea4e4584fa05c3ee8cd7aad8c037b505cf | 4967 | 1648 |
| LOLBAS rundll32 with unexpected forward slash paths (via cmdline) | SOC Prime Team, @SBousseaden | SOC Prime Threat Detection Marketplace | 4df0b9d85eb21989ce009f134a8fae2edde67a305237b09a9daae0c40abae0ac | 4958 | 2192 |
| NanoCore | Joe Security | Joe Security Rule Set (GitHub) | 270a1fb968dc6493ee107a0a5e9afce805af2cd2d8675f58a02c418e36821076 | 4922 | 0 |
| System Network Connections Discovery Via Net.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 90412c9cf799f0ce454d95cf6bdbef8b1264fbcde3cd6b065ae6aee265882a86 | 4874 | 864 |
| Forfiles Command Execution | Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 1b7c75c23f2baad2051b96c094a3e6fd1d3f27a92c0518c2cfd7257229c57a72 | 4855 | 178 |
| CMSTP UAC Bypass via COM Object Access | Nik Seetharaman, Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a30845acd045e920f165087e59ac6d9461f6c4bfadfa52e4c518e3bcb9d8cb0c | 4835 | 47 |
| Potential Goopdate.DLL Sideloading | X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5e22ec775af6cbc5059b6f7e9228ad35176019128d402f817de8f1d74a4608ba | 4828 | 2131 |
| Suspicious Invoke-WebRequest Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 56fe16e9bd72e77ff37f1ceaab3ee67231b676c732b7ff10556298e7a60590e7 | 4799 | 933 |
| Prefetch File Deleted | Cedric MAURUGEON | Sigma Integrated Rule Set (GitHub) | c865945cbecb1d16e71f70bbaf2926d63799a2a7a109ded595203301bc777f0d | 4783 | 65 |
| Remcos | Joe Security | Joe Security Rule Set (GitHub) | b50b6d86173debc4d608b981e7d6b5136092c515286d20c0eafcce3b7c411dde | 4780 | 19 |
| AspNetCompiler Execution | frack113 | Sigma Integrated Rule Set (GitHub) | c72e2995683af253e803fa2fe4fb02eab21f864cf7e63657b4c1f5a21e5cd421 | 4779 | 9 |
| Base64 Encoded PowerShell Command Detected | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e75e9983c2277304aa1294c0b077a3139a8405cd1661ccf513a6c05a002acacf | 4774 | 93 |
| Rundll32 UNC Path Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e3e74fa33e688408b75baa0f3988d754504296233bf1904baa587d8b17e3c4f8 | 4749 | 2188 |
| Drops fake system file at system root drive | Joe Security | Joe Security Rule Set (GitHub) | 4754f502f65f5684ed3a2e0c3b8615d89d16535a2ad1fe25ac93f82423267ae1 | 4674 | 2 |
| Suspicious JavaScript Execution Via Mshta.EXE | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | f6f3741fe71241687646386731e58cbb9eb5dd4b8db836bb8840c3d02e5462b8 | 4583 | 32 |
| Potential Commandline Obfuscation Using Unicode Characters | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1afbb49fc8fb15fab2d75349956e426d182cdd6d06760b6d83594535a112fb1f | 4523 | 402 |
| Potential Persistence Via Microsoft Office Startup Folder | Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b52847695c6477e59d07e791f5afc7389180b1087054b513284bdbadfe15f22c | 4461 | 68 |
| MacOS Scripting Interpreter AppleScript | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 6ecd0ccd55a70b96ebb8ad35b9fc18b56f99fdae0b1c2d235ba3300b9457b516 | 4457 | 823 |
| Uncommon File Created In Office Startup Folder | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f441bf0f20310d2f8fb4c38b047725cf9bafb59c2a7634f73d2d38745157b248 | 4447 | 82 |
| DNS Server Discovery Via LDAP Query | frack113 | Sigma Integrated Rule Set (GitHub) | 16b459cba08f0827ee9607be238b1582dfd3717c30b129b5f215736d5a3c3e1b | 4407 | 827 |
| Files Added To An Archive Using Rar.EXE | Timur Zinniatullin, E.M. Anhaus, oscd.community | Sigma Integrated Rule Set (GitHub) | e5fedf5f2a45c0555943282d3dd05186495acc374df19f7735f92d6d648dd1bb | 4297 | 2 |
| Zip A Folder With PowerShell For Staging In Temp - PowerShell Script | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 4f19758bce122aae71a356110cf88e95df101e099a2b95e2472e44201244475d | 4272 | 39 |
| Delete shadow copy via WMIC | Joe Security | Joe Security Rule Set (GitHub) | be6d29855558a0e8c404486d8f1838ce35594866f126f9c1c62a9792e9c76be2 | 4239 | 8 |
| Application Removed Via Wmic.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 51aa013b39842efa6b0daa94240755c0d8b9d7b71b5cf5cc482247a3c7b8bc57 | 4207 | 621 |
| UAC Bypass via ICMLuaUtil | Florian Roth (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 2219766fcc5e77936dbd9b7310a20b2ba3f5b4aac858c6ac312c81fcc2838d4a | 4194 | 46 |
| Rar Usage with Password and Compression Level | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 02930d34935e0616b2711790272271498e2a5a03bcf66372f0985d2e89cee1af | 4184 | 1 |
| Suspicious PowerShell WindowStyle Option | frack113, Tim Shelton (fp AWS) | Sigma Integrated Rule Set (GitHub) | 5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101 | 4155 | 739 |
| Suspicious Mshta.EXE Execution Patterns | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 31e1f4457871d51593456a4331811513af82fe4e36d2b26a582dd6baa180a91d | 4132 | 521 |
| Suspicious LNK Double Extension File Created | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | a22ff20d7afa397abe4e6127e6da647b437781be86602fc20a88c1403f1200bc | 4131 | 982 |
| Parent in Public Folder Suspicious Process | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 84c8381801022afb55be7429db7a75474adba79984c4b957f33c62e931b0f282 | 4126 | 44 |
| Cmd.EXE Missing Space Characters Execution Anomaly | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4bb625c721776edc38f264e032f4677eecbdd60e011a95fa267baee02fc262c4 | 4070 | 138 |
| Renamed NetSupport RAT Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fede1c0268e88b6a7ec369e9c62c124a24ab5c7f9adc969af706be5000e0e8c1 | 4048 | 393 |
| Execute DLL with spoofed extension | Joe Security | Joe Security Rule Set (GitHub) | 90c63349e180656f865f6206a06dbee57bd3226b32eb61fba3e6c7c4452d4e1d | 4026 | 1435 |
| Service Registry Key Deleted Via Reg.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 024bac7758bc9b41b74cd867afe686054dabf2eddd7128488f92797af3459361 | 4021 | 345 |
| Suspicious Non-Browser Network Communication With Telegram API | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 620d128e8f298b86625bd4b6ab76260ff98ffad8b0d6548b49c657f4d01e86f7 | 4003 | 43 |
| Potentially Suspicious Execution From Tmp Folder | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | b8017658b8eef8b1293176d76212e600b660d0a36a4f5dc80141324fae360bbf | 3964 | 2498 |
| Gzip Archive Decode Via PowerShell | Hieu Tran | Sigma Integrated Rule Set (GitHub) | 0df382f7e3b997a4d0a5cf1e3096ed303ea8bef29d4a223899b1bd70c251bc33 | 3950 | 713 |
| Bypass UAC Using DelegateExecute | frack113 | Sigma Integrated Rule Set (GitHub) | da3ec62084336efcb20f4f4e3a94268ca6c1665699d00b48e490be7fc41d2287 | 3921 | 44 |
| Curl Usage on Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e576f496b0ac03c619b88124a419d2c717d3f5e3f5506a17e145443091bda155 | 3919 | 1489 |
| Terminate Linux Process Via Kill | Tuan Le (NCSGroup) | Sigma Integrated Rule Set (GitHub) | 51b34db929db2298b58d76a0d73976f3d729eca95d9b480b9513bd0cea6a1d6d | 3889 | 1777 |
| NjRat Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 44649563045e4b39ea5ec24c20ca7aa44cde80384aa9b3de04a8bb30862d934e | 3823 | 0 |
| Remote Access Tool - AnyDesk Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 0c4da16b3166fbd90cadb96254a8be0f74828fc4eb967256ac0483d9d0a10a96 | 3794 | 1283 |
| Potential Mpclient.DLL Sideloading Via Defender Binaries | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 3a9cafc6a4cdfee1d351b5145ef1b7d6a64e707b04945a9fa54298173b7eaa64 | 3781 | 255 |
| Uncommon PowerShell Hosts | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 87ff9045efc87047afd66230a3eaf7e4306b89e3d232cfa7c9307b4481ef76c0 | 3722 | 424 |
| Renamed AutoIt Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1a5f94b3f0a2443e387f9e068328d36b28cf001899d3d0ccdc05243849ccd380 | 3715 | 136 |
| Suspicious Command Patterns In Scheduled Task Creation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c6cac3013982f7f078cbf7fdc49b83f80fe4377b7ba4434f2533c34c98a85608 | 3715 | 388 |
| SC.EXE Query Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 373890127a34a7d314b3d10d451aaacb806579ec3e9ed2515dbdd0a4d4bf7860 | 3681 | 1170 |
| Whoami Utility Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4f50c176af3c65d3b67381b2eb36baf45f7c58aa2934ba1b9d94703fb60d977c | 3675 | 1944 |
| Potential Wazuh Security Platform DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 747c341b87a90e6e095cbfc8c895fbb8cf733b203dd8db9f7875d676842d4e8f | 3672 | 594 |
| SafeBoot Registry Key Deleted Via Reg.EXE | Nasreddine Bencherchali (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 4202d03bb66c7e22943582a6959ff86dea30b0493ca74ce160940b0daf7b2797 | 3613 | 30 |
| Potential Persistence Via Custom Protocol Handler | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fcefc4dad7b57e9c907b45137814caa77a11a27696712eecc68d4c6fbdb24786 | 3599 | 1843 |
| Windows Screen Capture with CopyFromScreen | frack113 | Sigma Integrated Rule Set (GitHub) | f8a626af728b3adf32c5a523da76b149e1f41d45e55c4f3b2cb7895c3920b449 | 3597 | 494 |
| PowerShell Script Run in AppData | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 4975d97d556849fe2e336bf1c8a5012b84eefe1d4059c527aaa8ec3f903022b2 | 3587 | 981 |
| Process Initiated Network Connection To Ngrok Domain | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0aaab6e75614dc39c58e45ef5b3a7f0a1e455ace3bb9041e837370214a92ef58 | 3564 | 13 |
| Unsigned Module Loaded by ClickOnce Application | @SerkinValery | Sigma Integrated Rule Set (GitHub) | 096069eef3be20474fe171accead2e8d072767682ea5ca1388ac7af2510839cc | 3546 | 305 |
| New Root or CA or AuthRoot Certificate to Store | frack113 | Sigma Integrated Rule Set (GitHub) | 924e45f65b58d749e29df4b23b32058847bb1b15673ee93b0f9a0fc94359b19b | 3503 | 2066 |
| Local System Accounts Discovery - MacOs | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | e73eb94c02ee03d3d629b3d54b02d2cf6c9b1dab8a7831ba27d8da0c88755c94 | 3477 | 3169 |
| File Dropped By EQNEDT32EXE | Joe Security | Joe Security Rule Set (GitHub) | 4740c645e33c5fbe1595ad953f030f0aa29f78fcbd141282536d02587eb05d0f | 3406 | 1 |
| Potential Dosfuscation Activity | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ced86caf89e0cb118bce2037de20fae8f9a70e400916dcdd9c2ee1eec7c58c4 | 3341 | 243 |
| PowerShell Download Pattern | Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 24c9049c81b149aa4537cce166e36f3697878dcdad3fab8b662889d154056d7c | 3319 | 248 |
| Firewall Disabled via Netsh.EXE | Fatih Sirin | Sigma Integrated Rule Set (GitHub) | 5a783ec4b26d8a6276f21c1226c5896266e2591f44f079ca9950892310b00429 | 3306 | 390 |
| Windows Share Mount Via Net.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9816ac44605bf8e1595ecff4424e6d78357aaa8449a03737687a18866b736909 | 3283 | 618 |
| Creation Of a Suspicious ADS File Outside a Browser Download | frack113 | Sigma Integrated Rule Set (GitHub) | c73db505c48b84558f4676b0613f79f5cc2c70db3a96086c3a010c535c245530 | 3260 | 246 |
| Creation of an WerFault.exe in Unusual Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 4469b0111d1f4747a00542caf4ceadd719bff3e7e6e21793e9446d294be895bb | 3249 | 159 |
| Local System Accounts Discovery - Linux | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | db147f594af74bbd5641cf034cfa4ce699110ac6712abb1062141aefe2d13704 | 3248 | 2797 |
| Bypass UAC via Fodhelper.exe | E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community | Sigma Integrated Rule Set (GitHub) | 4793e3844bd4ee212795ee4a6bf167b869d51840732845bf0d2aa41f7481e6d7 | 3186 | 16 |
| Suspicious Process Execution From Fake Recycle.Bin Folder | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef5803d60821ec99134c6c0fa0bd37ea1e0948d9f28c15324a15eee9929e4f34 | 3163 | 2 |
| Suspicious Non PowerShell WSMAN COM Provider | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | b42a14d4eb96ec45f6bc9ca190be91d043f6ead5ff998b704aabb76605041d4b | 3136 | 275 |
| Potential Homoglyph Attack Using Lookalike Characters | Micah Babinski, @micahbabinski | Sigma Integrated Rule Set (GitHub) | a2dffac0fcddbca9dddd5b57f9a9841ae8948007b05988ff3ba4b101da5fcc45 | 3113 | 223 |
| Potential WWlib.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | acfdd695b50334901b76498dea74721b8b3767958af4dfdb031aebc613d6ff72 | 3113 | 1957 |
| Wscript Shell Run In CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83ab725e0e176c0c59e352231c53ea9aca280a122aaa1c79b3ac8cd955147dab | 3097 | 102 |
| Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | f9da722f2b9be68744c84591d71fc78f53410669a0b7da802cb3abdb56d3fd72 | 3080 | 1 |
| Suspicious Driver Install by pnputil.exe | Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8fd9d688a4929d85f6ba829ccf0fe235ff5f6bcc6ac25306e6425671b81eaa80 | 3065 | 2539 |
| New Lolbin Process by Office Applications | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) | Sigma Integrated Rule Set (GitHub) | 8a45e61fc1757825afcd5eca531a7940c6b8fd8ed95faee7b3ea517339e0ee17 | 3057 | 12 |
| Installation of TeamViewer Desktop | frack113 | Sigma Integrated Rule Set (GitHub) | 2495a5176f32a1fe533956bb584ac28d8b3080d4d27a4a91f60fcf3c24bbfabe | 3028 | 2705 |
| Potential Persistence Via Logon Scripts - CommandLine | Tom Ueltschi (@c_APT_ure) | Sigma Integrated Rule Set (GitHub) | 931dce221464a1df97b4bd50fa971fea5b71093af0032d4e392a2f74e9bab9c1 | 3026 | 7 |
| Windows Defender Definition Files Removed | frack113 | Sigma Integrated Rule Set (GitHub) | bde07bc9414d410eaf67f99408a24b51b4b8d186451e641a9a90076cfac22613 | 2965 | 8 |
| Potential Execution of Sysinternals Tools | Markus Neis | Sigma Integrated Rule Set (GitHub) | c718a898b26d6c8f64602f1b33c49df17864599a9ba4a879a1ac22848dbda174 | 2877 | 493 |
| Vulnerable Driver Load By Name | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8f6a6cfb95501925772edc51e1db78dd76eea0e212ed3a9923b1a0de9d552371 | 2849 | 655 |
| Removal of Potential COM Hijacking Registry Keys | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 85b8f7bd2db84db2632bf9e5b9b9402e829785f546868fe1a62c7a6002a6eb60 | 2818 | 670 |
| Potential Crypto Mining Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6bbafdf03b2a79de4fa71f3fec777333b907de6172939c7a35b5bed23d4a4b82 | 2787 | 7 |
| Powershell Decrypt And Execute Base64 Data | Joe Security | Joe Security Rule Set (GitHub) | d77da6b7c1a6f6530b4eb82ca84407ff02947b235ab29c94eade944c4f51e499 | 2785 | 4 |
| Conhost Spawned By Uncommon Parent Process | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 6f60707627a0617e86bd3005d8ce73a34fa6e674c0169d593509953d67bfaa2e | 2777 | 424 |
| Potentially Suspicious GoogleUpdate Child Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09412b30e562e2ce76bfde7b363c711eb8d82f225e5c33b969989c68181d63c4 | 2765 | 796 |
| DNS Query for Anonfiles.com Domain - Sysmon | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 21c4870bc492f9b979f795cb98b5fd283fad4043432a9c3cd239097f04e945ee | 2763 | 26 |
| Firewall Configuration Discovery Via Netsh.EXE | frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | Sigma Integrated Rule Set (GitHub) | 25c7926ea5dfde7ab41cd4aeebfb89e01d4dcb8b7243522af4f643f690d857c7 | 2678 | 296 |
| Powershell Download and Execute IEX | Joe Security | Joe Security Rule Set (GitHub) | 317ff64a1d49452191210f7b55d7201e483352440ec851a9c716f6be7cfb7ec9 | 2659 | 111 |
| Sticky Key Like Backdoor Usage - Registry | Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | dd211e6e9cebdae07f1d14d61650061c791829402d134a1a9e064ae72b6c4cd9 | 2630 | 25 |
| Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell | Markus Neis @Karneades | Sigma Integrated Rule Set (GitHub) | 1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938 | 2590 | 8 |
| System Information Discovery Using System_Profiler | Stephen Lincoln `@slincoln_aiq` (AttackIQ) | Sigma Integrated Rule Set (GitHub) | 52daf4142ede041cf96ed7f183802efd774d9000b614dad0ea8cce461bedeb6f | 2536 | 780 |
| Suspicious File Creation In Uncommon AppData Folder | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8c035500d22804f658be72a55a2b5d591891e0a77e57447d0f0c6f62f89e9ade | 2521 | 53 |
| Share And Session Enumeration Using Net.EXE | Endgame, JHasenbusch (ported for oscd.community) | Sigma Integrated Rule Set (GitHub) | 7cb4a3985bd24a137550fa4c49b1da3fb949c3cf182a90950438e97aaad46378 | 2511 | 487 |
| Renamed Powershell Under Powershell Channel | Harish Segar, frack113 | Sigma Integrated Rule Set (GitHub) | a470fbf97e0f7a4d42fd59ad6332c7521f57d919e725bc61c84ea7ee2e451426 | 2483 | 381 |
| Potential Suspicious Registry File Imported Via Reg.EXE | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 7c610f9de41fe35b34a2cbbdb30ffc39573016dafe890f4164dae07613c21fd7 | 2472 | 758 |
| Droppers Exploiting CVE-2017-11882 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ea2bef709a3e478516f914938492950992d22f0077ede5a561e60f2c092f4dec | 2467 | 579 |
| Potential PowerShell Command Line Obfuscation | Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) | Sigma Integrated Rule Set (GitHub) | e6fdb32f143bba16a3ea06247ced55b7b90f8b5b5c6c26ddb95cdcf23908af8a | 2465 | 150 |
| Boot Configuration Tampering Via Bcdedit.EXE | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 2da0b3cba5dc2b56e1426049598590c54a224e6d15740b9b07c108e089c84520 | 2462 | 43 |
| Suspicious Extexport Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 942c07d4243aed525402c1e4e2f9880b477ba72abc7023c30c9c10737399e077 | 2456 | 89 |
| Suspicious Remote Thread Target | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 35516fc873ed87d5b0b7a43b8533ffc2f5caa47a50e9166c663b25628f65fed4 | 2413 | 40 |
| Possible new Cobalt Strike dropper | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3cb32dc8f1ba61964f235761eac5b49d22264f521e003ce641a508eaff8d0eec | 2406 | 571 |
| DotNET Assembly DLL Loaded Via Office Application | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | df9179ffc950a7d9549e0d76b5a95a94d3b366fcfde63b70a6b7a7215d0d97b5 | 2402 | 2239 |
| CLR DLL Loaded Via Office Applications | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | 6362c65a14d81807ed78ab9e2fa99fbb546c067d39b3b63846c820e5c401e2e3 | 2382 | 2238 |
| Ie4uinit Lolbin Use From Invalid Path | frack113 | Sigma Integrated Rule Set (GitHub) | 186b21df711a2c225bc97a789a6794326e96247d7982569c6a23484bb7fd61fa | 2328 | 696 |
| Dllhost.EXE Execution Anomaly | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 55e193a1988b8c8a7a5a6a43dd2962320dedbc26a63c88ad59d1df2fa6897da6 | 2326 | 7 |
| Suspicious Execution of Hostname | frack113 | Sigma Integrated Rule Set (GitHub) | 87d10b87f13ab6dd0ee17c311d476bcf6fce51f746e639542c1c6c08b6ae8071 | 2323 | 659 |
| Use of UltraVNC Remote Access Software | frack113 | Sigma Integrated Rule Set (GitHub) | b6d588df62f37e97081e8f05b809fb56a925b1514f359dca67c7b51fe46c6812 | 2323 | 396 |
| Service Reconnaissance Via Wmic.EXE | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d9ee3f478c792e1c6683bb60949d7041271eaeee5e5927b518a6f65e7da2607e | 2294 | 281 |
| Pykspa Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | daabc950b44baa5580ce5e56de6f2f363ce1854a5273ffd3ac321453e35a83b0 | 2292 | 41 |
| Suspicious Program Names | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3dd877e77def39df894b8703b956bdc819796feea2cf44bef9f73339d5a37b5c | 2280 | 120 |
| PowerShell Script Dropped Via PowerShell.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf | 2273 | 563 |
| Registry Hide Function from User | frack113 | Sigma Integrated Rule Set (GitHub) | 82ee39002b5715b57e2aa8b1d93068fa1c6e7147795a59563c5812d827f7f3de | 2262 | 12 |
| Cscript/Wscript Uncommon Script Extension Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1168f1f8b0347e370d4f049726cef5752fdd4db77ea2e8f33d611739f3257b7c | 2243 | 131 |
| Suspicious Execution of Shutdown | frack113 | Sigma Integrated Rule Set (GitHub) | 157ee4e95270f64481c50464c0e4766830e1e2b38b214a98f9e3f977857c6c69 | 2212 | 349 |
| Always Install Elevated Windows Installer | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | b7188ffaa64031d83c409b5110885c29570d52a6ba3bacaee0392371cf071016 | 2197 | 1073 |
| Suspicious Windows Defender Registry Key Tampering Via Reg.EXE | Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 624e5e799c1829ffc2199cdf5c7bc356cfb6da8137626ea544cdeaa8ee1d5c75 | 2195 | 65 |
| Sakula RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 68a19d3c88378331526d97065cc73f033a6ff79b1ebd046f7d815d967bd2dd69 | 2182 | 0 |
| Legitimate Application Dropped Archive | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 0b57c6b31ce9eea5f85c018839666b92eb3444ccbb55a5d93f7b89a74cb7daf6 | 2181 | 1951 |
| Register Wscript In Run Key | Joe Security | Joe Security Rule Set (GitHub) | 530f42d2839f1cd12564a3743f6b294d960920a76da960e2c17e5337c43df9c4 | 2166 | 15 |
| Registry Modification Via Regini.EXE | Eli Salem, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | 876619ed554fa68bef3ccfc88d359efb8c1f05d0781e13279ff3c4ff29f4989d | 2166 | 262 |
| Legitimate Application Dropped Script | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2d15bc5d08223728e30ed4330ad99024b1467ac8ddb073e7ed368b0468898e80 | 2163 | 302 |
| Suspicious PowerShell Download and Execute Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bdb4652f83b1c4482478b0c14bcb08d332fcd600a7303ab1c709c543499be726 | 2125 | 82 |
| Trickbot Malware Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1c7a83aaaaf300f7e44e597465797c7e812cc0c684756d1be37d0ac7acf0dc5c | 2124 | 0 |
| Proxy Execution Via Explorer.exe | Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | b32b8c78e20435f731c3241fbfb6354a0b9f86ec81cc5ee202e0f0cf13bf110c | 2083 | 220 |
| Wab Execution From Non Default Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ee4aa57ce6316f4a46bc9e62a1748e7d5d687ad6315114f4d4eff654910c961c | 2068 | 231 |
| Whoami.EXE Execution Anomaly | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 05b85f64fdf521b059aab9daf9d75829fa4a5febd27fe09ac0224e405b57a654 | 2014 | 187 |
| DriverQuery.EXE Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a67413f6ee51de2df640e8a66bd1d745d4e44207f484cbd3b33ac3b3fcbb0688 | 2010 | 280 |
| Potential Configuration And Service Reconnaissance Via Reg.EXE | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 218d6661cbefbe4342fb5e6f0aa14df5602a3a39691bb19b246644804e6d341f | 2006 | 315 |
| Browser Started with Remote Debugging | pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4eba2a7f729f2c02ec972ed01919c8bf5d2b8493f9d6a934f14cf0d3a55d14db | 1978 | 271 |
| Group Modification Logging | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 48fbab3f0d31a3776ce8099e24b7c20af280fc9952c2d83fb8e54e4808a7d506 | 1975 | 185 |
| New Process Created Via Taskmgr.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bd4c20ecc3fa26779f917ddf7cd594af5a64805084e11c2a680ade82d77b01ed | 1967 | 2 |
| Suspicious Scan Loop Network | frack113 | Sigma Integrated Rule Set (GitHub) | 14d137deb681ad845cc2e1992b2e9cb3490ddb1372d62da747f4042d7e6b87b0 | 1966 | 186 |
| Potential Windows Defender Tampering Via Wmic.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 3ba90b1c0830dec1dbbd2f42eb503552860963d25a6bbe081b92875c243be50d | 1960 | 15 |
| Malicious PowerShell Keywords | Sean Metcalf (source), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5bd56545b7e384edee75e378b7ee025e05f6bcb012607cb6425ccedd54fdb070 | 1958 | 196 |
| Set autostart key via New-ItemProperty Cmdlet | Joe Security | Joe Security Rule Set (GitHub) | 20d65fc22a4ca2deedfc3a40bcfd0522766c18fa1ebd190b9d8fd068ee94ec0b | 1953 | 8 |
| Usage of Renamed Sysinternals Tools - RegistrySet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 96f6bdacbe2704258d0efb6732980de5d8c8fb4c21f34072ec9e4e2267271ec0 | 1945 | 171 |
| Set Suspicious Files as System Files Using Attrib.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afdcecbde34527044e8c4c24e502ed3dfae6daa2d07665ad18226afff77ed6fe | 1929 | 54 |
| Suspicious Recursive Takeown | frack113 | Sigma Integrated Rule Set (GitHub) | f3043e9cf491489279145a8ffefa67bbe2fc398be8117092c11cdfdc2f9768e7 | 1928 | 1161 |
| Uncommon One Time Only Scheduled Task At 00:00 | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 85cd399008ef4733657024eb14bcee01c9eda5cb5a070f2f186550293ebe4d29 | 1912 | 51 |
| RunDLL32 Spawning Explorer | elhoim, CD_ROM_ | Sigma Integrated Rule Set (GitHub) | ac298c53d8d1f5e60dfe82fb023ca044b4a7477be65c3b5eab997e0e9cf64528 | 1907 | 187 |
| Powershell Execute Batch Script | frack113 | Sigma Integrated Rule Set (GitHub) | ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7 | 1880 | 849 |
| New Root Certificate Installed Via Certutil.EXE | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 7e27ad096cfe35b247261a88a0082eb1feb9c110817bfc4774f404f8f2958328 | 1879 | 361 |
| Vulnerable Driver Load By Name | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 01bc5b8a84214e476feda4fcc9c76cd6f44b3306dc67b15f214bc791497235f0 | 1860 | 658 |
| Potential PowerShell Obfuscation Via Reversed Commands | Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 474582c275339926ac17574ab90c8246d89014d6b66a4312e8e3edb7277ffba0 | 1851 | 98 |
| Finger.exe Suspicious Invocation | Florian Roth (Nextron Systems), omkar72, oscd.community | Sigma Integrated Rule Set (GitHub) | 7014c2ce26877573641173ba99dcd8d8af4f637986c42be19651a8a37c5ead6f | 1819 | 34 |
| Powershell download and load assembly | Joe Security | Joe Security Rule Set (GitHub) | 32fcfd50f2fcf0aa58bebfbfb09b7e32b7349a17a5c1aaea5b18783f458c4e9d | 1818 | 8 |
| Suspicious PowerShell Parent Process | Teymur Kheirkhabarov, Harish Segar | Sigma Integrated Rule Set (GitHub) | a4d012f0f7c21ebed94f8e82f4910702fcbcd9d21bf70e4b1b039f48970d1bbc | 1800 | 151 |
| Suspicious Group And Account Reconnaissance Activity Using Net.EXE | Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6782835a8af9329207a47fe5076c3dff20a8803bafbda97ddc938ae379eaf8df | 1798 | 147 |
| Disable Important Scheduled Task | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09601976d693769f1fe442a0618410420380d7de7aeec4e52c0ebe6e3ebebe56 | 1791 | 96 |
| Regsvr32 Execution From Highly Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6c6985a0a641b52c4f0f82f7c86c62603a68482d3a2dd76787a91435f6022c75 | 1780 | 618 |
| Python Inline Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4eb25eff0b4d84652480301d5845b79be20cecc54ff18737ad9fde16370bcb4a | 1767 | 996 |
| PowerShell Script With File Upload Capabilities | frack113 | Sigma Integrated Rule Set (GitHub) | 80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1 | 1764 | 543 |
| PowerShell DownloadFile | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f0282b9dc90a1761ed8cfb90b52bc5f53c2c8ccbff1ca29790e8d17c7eae56dd | 1762 | 140 |
| CMSTP Execution Registry Event | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | ffeb4d256edb1234faf30da37a584025d92817eb5a21c5394c4c6d78e3922d95 | 1749 | 34 |
| Activate Suppression of Windows Security Center Notifications | frack113 | Sigma Integrated Rule Set (GitHub) | 3729c929acbee7cae1291d3e460c3e673684211679e8a94cbd1297192aafdd06 | 1745 | 4 |
| Suspicious Msiexec Quiet Install From Remote Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 62641a1f33f67c78cb5f920f86788ab9e084dd90a20f1bbe56bd0de87f85b129 | 1731 | 281 |
| System Information Discovery Via Wmic.EXE | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 323231f5fffc92ef7ff7f631c4c88594149ee8841ff32c3c742054b37f17e6ae | 1720 | 174 |
| Rundll32 InstallScreenSaver Execution | Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec | Sigma Integrated Rule Set (GitHub) | e6082733e3e0087a0d92bb4d25eb43218d2a86b3681b4d5ee37ab8c2e6ecde4d | 1716 | 496 |
| PUA - WebBrowserPassView Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 33f5c9533af9250ea025177bce3fdac08e97300ebdcb88f194c75a49a985bcfb | 1710 | 3 |
| Renamed AutoHotkey.EXE Execution | Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | faa3bfbb393e061fd71e00b73b6f984037d3a2b68f4e57eb09b3de8ccd76fd1e | 1704 | 20 |
| Dfsvc.EXE Network Connection To Uncommon Ports | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d7a62dc09883785488daa6144af5d9bfda250d5660d8c6978c160b54a716b30 | 1698 | 201 |
| Quasar | Joe Security | Joe Security Rule Set (GitHub) | 295f36b4fe50737f7d27a3862ea45297f78efdf77ab2decd501b4a852765ceaf | 1697 | 5 |
| Copying Sensitive Files with Credential Data | Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 8712e0baf2cbfba40ac1ad1854da93829b0f78d6eba117de03912aa985d46a79 | 1688 | 3 |
| DNS Query Tor .Onion Address - Sysmon | frack113 | Sigma Integrated Rule Set (GitHub) | 674f76f777472c9d2fd1dbb116a9a1a6bf35dac71c41ca14a21ac0493d7f471c | 1662 | 144 |
| Ilasm Lolbin Use Compile C-Sharp | frack113 | Sigma Integrated Rule Set (GitHub) | 611acd0c150597ac4f2758e96797e2e85ce476be43fdec2817e9cd8bcd44de66 | 1662 | 127 |
| Silenttrinity Stager Msbuild Activity | Kiran kumar s, oscd.community | Sigma Integrated Rule Set (GitHub) | 6a6afb8a168ede702164bc1169f8f046647310ca518ed5dd776966148a0e9532 | 1661 | 9 |
| Bladabindi backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f47281ceea7e998eb629b82b6be68c1aaa23f6b18111420b7a52cd72b575f527 | 1658 | 0 |
| Insecure Transfer Via Curl.EXE | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 77ecce5ea77940e3b7b82f2766d696c4bf16f75a458c3ddfe650f26d4475fa74 | 1651 | 257 |
| WinSock2 Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 688632515df3a00cecdf2ee4e9316bea52edf73c9cb0889c10d336de857c293c | 1637 | 239 |
| IE Change Domain Zone | frack113 | Sigma Integrated Rule Set (GitHub) | 1fd27acf648f3f73802533ae95c6e367de8eb32fe05e9d3b52913ec54401a5ca | 1609 | 467 |
| Potentially Suspicious Cabinet File Expansion | Bhabesh Raj, X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2c33916c73b8057eb865f965b0e9e05fddeae85fa5405eee775a7df4cd58173d | 1597 | 144 |
| Suspicious XOR Encoded PowerShell Command Line - PowerShell | Teymur Kheirkhabarov, Harish Segar (rule) | Sigma Integrated Rule Set (GitHub) | 3df27b5ffb8110f82c5da9120fd9c1c88c792ef65770b7f2706fc60a04b9cc9c | 1575 | 145 |
| Add DisallowRun Execution to Registry | frack113 | Sigma Integrated Rule Set (GitHub) | aaeb77150a9427eedfb3c4c85538e120e703cd22905d020b93856bb7ebdb03a7 | 1565 | 11 |
| Firewall Rule Update Via Netsh.EXE | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8984d13764576549e824707eeafa56e2bc51d0ba2e3cccdb362a5dc69926c991 | 1542 | 225 |
| Invoke-Obfuscation STDIN+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | fddefdc90062c691bc46bba8afb5fc6b455c1d7141337a963441437d5355a6c4 | 1534 | 28 |
| Curl Download And Execute Combination | Sreeman, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781 | 1514 | 26 |
| User Added to Local Administrators Group | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fd4f9d3b927e38cad7f6a36f5f41cae6a1450b551d9506408259953d8d4ee23d | 1508 | 199 |
| Wab/Wabmig Unusual Parent Or Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1c3bd5d3931125cc632573be718453c2b36b0f1392032fda05ad4d1982d1c0cc | 1498 | 20 |
| New Kernel Driver Via SC.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b1f54a781e9cc27de125f11b56abc94639629aaf0f1fdf9072886fde50266b7e | 1492 | 483 |
| Dumping of Sensitive Hives Via Reg.EXE | Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 | Sigma Integrated Rule Set (GitHub) | 4caa5ae7b301d0b7382caf525ab9dead072ea9efadc1f7cc59d8a59c20b0fe57 | 1487 | 548 |
| Remotely Hosted HTA File Executed Via Mshta.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 25fb50db6056bc3db5e2f3d8d53b6ef8b6fad41ac3ecaf0386e316bd1711baf0 | 1480 | 49 |
| Suspicious PowerShell Download | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0c6e3c35fbd166dc96fbf3faf4f052230a9cc9db642ee3bee40f5c94d5938d03 | 1465 | 45 |
| Copy file to startup via Powershell | Joe Security | Joe Security Rule Set (GitHub) | f81996947f17d7a0b11829404a9a1b42e1041d6d013b0021dda3bbbb35dfa106 | 1459 | 2 |
| COM Hijacking via TreatAs | frack113 | Sigma Integrated Rule Set (GitHub) | 849823df2c9dd0af3b0d2474c1008165e48a5accc0c613e62140502a1eb678d8 | 1452 | 726 |
| PowerShell Base64 Encoded Invoke Keyword | pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t | Sigma Integrated Rule Set (GitHub) | b064d328910e5b6554d91ba5ed74ef613fac96a491b96d7456084c26c3cd376d | 1451 | 93 |
| Powershell download and execute file | Joe Security | Joe Security Rule Set (GitHub) | 1fd2d09eff791a970cc2ad6da0820134ef9d52d4341ab32028edd04e8dd158bd | 1449 | 33 |
| ilasm.exe execution | Den iuzvyk | SOC Prime Threat Detection Marketplace | 382ffab0f18db16a9fabc5be94893af76646b4a1c35d436ba2ae16961943008e | 1449 | 57 |
| Powerup Write Hijack DLL | Subhash Popuri (@pbssubhash) | Sigma Integrated Rule Set (GitHub) | c50b384b3d0f5d468c48abf6ac8fd6095727405ed00d170aeadf0fc1b4add34b | 1448 | 254 |
| PowerShell Base64 Encoded FromBase64String Cmdlet | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b079b9bebaa7ac01f379d6d83aa123ec20bc9068b9a097e09aec5f87b42d91d1 | 1447 | 58 |
| Suspicious PFX File Creation | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | ec56e35983955cbc753846d06d67ba2cf88a10a498711ceb84afe1322ca958a1 | 1447 | 797 |
| Suspicious MSHTA Child Process | Michael Haag | Sigma Integrated Rule Set (GitHub) | b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05 | 1441 | 179 |
| System Information Discovery Using sw_vers | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 2ccb76001b1d9e10e5bfde545cebc203b585a87dfae5be9eaefcbd6d2e0a1c54 | 1439 | 1071 |
| Suspicious GrpConv Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aa2a49ac8cb28455a3f30cf373b4ee1ade0b735bc1db5a574956be8f95fcf6d7 | 1429 | 466 |
| Invoke-Obfuscation Via Stdin | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 92f548de44082f5573a9a1cde5e0716b71988288605c254b85f32d8f3405ef83 | 1411 | 53 |
| Suspicious Rundll32 Setupapi.dll Activity | Konstantin Grishchenko, oscd.community | Sigma Integrated Rule Set (GitHub) | f85bfb745e5bbdd54cf800d8d7e40f16b02685138c13830986a050536d69aa0d | 1389 | 332 |
| Powershell adding suspicious path to exclusion list | Joe Security | Joe Security Rule Set (GitHub) | d933fed60e38128e7e3586361ae42b885a5285e04ab14da997282550a77a9059 | 1352 | 132 |
| Enumeration for 3rd Party Creds From CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9459f67b1253cc08abbddb96a073b963a102b013d6fb679d6a0273540ad7b19f | 1345 | 343 |
| Suspicious Scheduled Task Creation Involving Temp Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c81c0126a6006ad9dbec7215030642dac0a918f133b33aa4c077f9676d84cd58 | 1340 | 2 |
| Wscript Execution from Non C Drive | Aaron Herman | Sigma Integrated Rule Set (GitHub) | 2f480881c25523a22197ce2abfca8d05a61f804534f8a053fbf65303a9375332 | 1339 | 73 |
| Relevant Anti-Virus Signature Keywords In Application Log | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | 39e7fb552f1143dc6ba79ca293aaea514c20448ec6241a53cf150f29298b942d | 1336 | 326 |
| Suspicious Creation TXT File in User Desktop | frack113 | Sigma Integrated Rule Set (GitHub) | 965125e7c09a79de6429b9218659a7c8785c989273642091a7ebae3bfbe920c1 | 1322 | 734 |
| DUNIHI Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7c58e06f9c4bfbbca18106234f802a2f21fcd03ca11bcc0d10c040d1e451d4b1 | 1317 | 8 |
| CMSTP Execution | Nik Seetharaman | SOC Prime Threat Detection Marketplace | 58d4fbfb0b53744348e77deba3d12df957601d7b27fda30abc676523e9634cda | 1303 | 21 |
| Stop EventLog | Joe Security | Joe Security Rule Set (GitHub) | 35db6f1fe683cbacad6aa4943d1220e844a15d069404bd602fa782a2ff05ea1c | 1284 | 1 |
| Unauthorized System Time Modification | @neu5ron | Sigma Integrated Rule Set (GitHub) | fd18f89d9ade39f1b15ef9cc31ce8423991e3c873567ec9edc2cb1a45ac79f69 | 1273 | 268 |
| DotNet CLR DLL Loaded By Scripting Applications | omkar72, oscd.community | Sigma Integrated Rule Set (GitHub) | 5c2eb7356281203a2556ea40a71892ba7a369c46d5f2fc4574a427ac968c097c | 1269 | 688 |
| Invoke-Obfuscation VAR+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | dbba719e722ed35e6290aec93e2c9879ef0eb3966254ad9f15c73b24f11ccf9e | 1269 | 15 |
| PUA - NirCmd Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b206243f31b4de9b9721047301fe3728fcfc85f7c7db682bd477e0d7c41093b1 | 1258 | 78 |
| Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE | @neu5ron | Sigma Integrated Rule Set (GitHub) | 388ce51cb79d4deced7fce86e5dcf1e2eec1c04720fb2fc7e451d12abbd53416 | 1248 | 593 |
| Suspicious Electron Application Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b1f50cff6a2e8639ee801986adca76402def027ff7616841139cbf2ab32e2f0 | 1238 | 84 |
| File Download Via Curl.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2ba177894c99b540ea867640a2706237f274cc5b176aeae69bbe985e11bb1b06 | 1232 | 522 |
| Weak or Abused Passwords In CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 505504b564af2ed8ba77826b758a9eb5bda1701b18ffd11a5266b48d417692fe | 1232 | 512 |
| Renamed AdFind Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 12b8d345b794db3ab93ddfad353edbac7bb89f27e11dfb968d1e97cbe1061cdb | 1193 | 900 |
| PUA - AdFind Suspicious Execution | Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community | Sigma Integrated Rule Set (GitHub) | 1e88d14fe153e2c630eb9bdd7e321d7dc3d82670a31f1b36fc90cb6cbc362136 | 1191 | 900 |
| Session Manager Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 9acd91066b664aa3f4181a28555facbc432bae9a4c8502aa92ceae1de1f31753 | 1186 | 311 |
| Office Macros Warning Disabled | Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c343cc005c090768ceeda7de8ee3ac77e284a81d14c5a803a4fe3a2cab1e3f83 | 1179 | 9 |
| Operator Bloopers Cobalt Strike Commands | _pete_0, TheDFIRReport | Sigma Integrated Rule Set (GitHub) | fc1c644d943e763e67a7951dbec3c33d1e4710aed85f336a114eac8b43c735f5 | 1177 | 18 |
| Delete All Scheduled Tasks | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 828f57327c792b3d7689543c6e7d2a87b71f15589b3c45366d0486473f86b2c1 | 1164 | 6 |
| Malicious PowerShell Commandlets - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6109e5a50653d03dbabfcf3bdf71fa77c6e2430050d589990fe4869424a68d5f | 1164 | 266 |
| DLL Search Order Hijackig Via Additional Space in Path | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | eec4fdc586db73cdad5bc34b172ecb132a75f4607c84cdeef26a811db01918fd | 1151 | 18 |
| Process Proxy Execution Via Squirrel.EXE | Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | a7aba66fc56c50a87fc053cf4dbd37af1845fac642e98272db5c4d804dc66de5 | 1151 | 793 |
| Recon Command Output Piped To Findstr.EXE | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | cfe5725f3bf0ca4bdbb0fa295dc9f4f317fdaeb5a37cf2252678c2c1c2e4a915 | 1142 | 486 |
| Powershell download payload from hardcoded c2 list | Joe Security | Joe Security Rule Set (GitHub) | 5c6454bb6fd16d176798dcb8685eabffc5295c27b7c2c471512f66343a885a24 | 1141 | 6 |
| Persistence Via Cron Files | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | f74e8628441aa3b7bcbf82dd77cc025925e34078d02d169dd947db62675dbeaa | 1134 | 68 |
| CMSTP Execution Process Creation | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | 4ef4d3aed2ed44386659d6aefb7649de9568189358f367fb8708d1870d19fdc7 | 1131 | 32 |
| File Download Via Bitsadmin To A Suspicious Target Folder | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a88a5cca5a8f8c7db551190230651c821a8acb62ba7f1da53866381af9c5263d | 1125 | 290 |
| Space After Filename - macOS | remotephone | Sigma Integrated Rule Set (GitHub) | 2b3ab43da00d1cb60c0d3f837ce61f81355c37b68a1c3e826e66d68962c57752 | 1125 | 130 |
| EKANS/SNAKE Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 164ef4a9c3213fa19bce8c0def1c7e491e774e8b12b55aaf55c5cc2732b4386f | 1119 | 474 |
| Suspicious Volume Shadow Copy VSS_PS.dll Load | Markus Neis, @markus_neis | Sigma Integrated Rule Set (GitHub) | 90a2634e64f0a02343bf17b797e3d249061fdee81d36e5dac2d8e3fe2a2df280 | 1096 | 79 |
| Steal Google chrome login data | Joe Security | Joe Security Rule Set (GitHub) | acba408186cae97e9de5ad46ba35ffdf61f94f181c5287bfd9e76aa1e5293b1b | 1091 | 1 |
| Fsutil Suspicious Invocation | Ecco, E.M. Anhaus, oscd.community | Sigma Integrated Rule Set (GitHub) | 4b8a086b898ff9eb51b0489b98e2619d0c9fe2cd94e29325ec8a4c2250220b8e | 1081 | 29 |
| Decode Base64 Encoded Text -MacOs | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 6101f5b902371808a5b407d66c189f259bec69ab6b4cf5b58a655af663843c71 | 1061 | 47 |
| Potential Emotet Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ada08103432e4112d167b1d10f0fc02281936c8fcb181de17d5bca07755bac84 | 1059 | 2 |
| System Information Discovery Using Ioreg | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 8276e9cd0b9b7c3f0b1005650ba6ee31d135feb4851ec2c1fef43e0ad32f66cf | 1057 | 507 |
| Extracting Information with PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 4e243e6a618f306cfd754df3b30132c4fa518c4ad26b6d755244064cd3110b0f | 1055 | 617 |
| Potential Browser Data Stealing | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f302700c67727730ec082001e9f6840f366aca520673a11d09dd130bfc31429 | 1048 | 48 |
| HackTool - UACMe Akagi Execution | Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3c4f6f1af78c01c8d7d6fcdd27c3167044933fcdf73f667e973ce1068765ea16 | 1047 | 20 |
| Potential Suspicious Change To Sensitive/Critical Files | @d4ns4n_ (Wuerth-Phoenix) | Sigma Integrated Rule Set (GitHub) | eb81e21bcba6fa7eb54dbacb299fbd6d9409d1f0a91735cb19dae4620da3620a | 1044 | 999 |
| Windows Internet Hosted WebDav Share Mount Via Net.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 958619e5eaecca1767a6c71701ed1838a9cbb62ccabbe7c6a9d8679a3fc0e0f8 | 1044 | 271 |
| Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate | Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 149998404377f72bc44b77b90b9339b9992c7ffdfa4ac2f8b9197b502ce28357 | 1036 | 542 |
| Suspicious WmiPrvSE Child Process | Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | eb1dbd652c505f66652af5683ecfecaacb1483523b07254e9d1eaee151af6ec9 | 1036 | 0 |
| Suspicious Query of MachineGUID | frack113 | Sigma Integrated Rule Set (GitHub) | 5b823c33b4d7a619c0190d52bf60fd92f6768d9bff34fb85446b00ca141f030a | 1034 | 484 |
| Windows Defender Real-time Protection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | a1c6c38c5e7bce405aa9ef27dce9dc9d160e553efc2e947b0b78b5f78219aae0 | 1032 | 1 |
| Rundll32 Execution Without Parameters | Bartlomiej Czyz, Relativity | Sigma Integrated Rule Set (GitHub) | de72fd0fbb1418b8eddde8492f15f221fc84e0ca0d3ca576ccd0ff897fb98037 | 1031 | 25 |
| Tycoon Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4a1bfdd64820625ce8a3a3a1703ba1575511aa7971c4320893b9fa4b51c65a4a | 1029 | 22 |
| Malicious payloads that are hidden in fake Windows error logs | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a0266c26a19ccfed14f484c3055ab6ca00bdb3123ee47a1a36410d63d33650ad | 1027 | 271 |
| Potential Startup Shortcut Persistence Via PowerShell.EXE | Christopher Peacock '@securepeacock', SCYTHE | Sigma Integrated Rule Set (GitHub) | 537a092527e25f9e54a3ddb6667c0303fbda5891d2f933ec0fc62bd4a5572cb4 | 1021 | 84 |
| Malicious PowerShell Commandlets - ScriptBlock | Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer | Sigma Integrated Rule Set (GitHub) | bbb841b3f1cb3bdb122737ca0755cb93d982ecca4651de2822af469b59071f87 | 1008 | 156 |
| File Decoded From Base64/Hex Via Certutil.EXE | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 2d3c931bf891955b7bf9d7745ece5f7bf306ac6c9a9ab72ee992a6d199bc2aae | 1007 | 52 |
| PUA - Process Hacker Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9a58c7a82520f7b9dc792cd56e2fce86b3157b6cef6fb23101ba29111c5e4733 | 1002 | 13 |
| MZRevenge Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | aa09c929bbf92e934dc584324a80a81643f2c336dba38293142077f86bdde84b | 1001 | 518 |
| MSHTA Suspicious Execution 01 | Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) | Sigma Integrated Rule Set (GitHub) | 7a63d1c1bf6ebb277b02d4893066d3732e3d7df562cfdbfee275bbc5c4de0951 | 993 | 238 |
| Detected Windows Software Discovery - PowerShell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 2f2546b453b2e10b60c4d6b1345bc05c2dc99e42daef2e236a11005d772937ad | 990 | 146 |
| Potential Encoded PowerShell Patterns In CommandLine | Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 157d3e7415430b97001871f8aecb592075581e05187450141e56c252318f2b26 | 983 | 105 |
| Powershell Token Obfuscation - Process Creation | frack113 | Sigma Integrated Rule Set (GitHub) | 6dd3abd7ee97d24f91e01e6fe236e6d2b8b12c2943ed9bb875e5613bf3deb8d6 | 978 | 46 |
| Remote Access Tool - ScreenConnect Installation Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 29112c1d912aafdd95b322ff1127f1fde6560b1d2e3dc1484d11d9d222af7435 | 975 | 37 |
| Potential Antivirus Software DLL Sideloading | Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) | Sigma Integrated Rule Set (GitHub) | a9d24e4f31c09e5d49bfde0dc5512383f008eb0a959b9e000ec57e5f29264313 | 960 | 358 |
| Suspicious File Download From File Sharing Domain Via Curl.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049 | 952 | 223 |
| UNC2452 Process Creation Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f282a8660328d20195770b77f51561e6885408fc2136a6916d0380839cf39301 | 946 | 28 |
| HackTool - Mimikatz Execution | Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 338397ed109954fb8f766d6849691b20570aadf79c77ac5509047b25b9af2859 | 939 | 15 |
| New User Created Via Net.EXE | Endgame, JHasenbusch (adapted to Sigma for oscd.community) | Sigma Integrated Rule Set (GitHub) | d83c79bbca4183561b4591dd3ce69faed2e6cfed3217f2658b85c237af7aceea | 930 | 153 |
| Suspicious History File Operations | Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | a90720274637391656758b0a5ab9ec371918d4a1e9d3ac56fd4d0f8719a7da72 | 922 | 495 |
| Abused Debug Privilege by Arbitrary Parent Processes | Semanur Guneysu @semanurtg, oscd.community | Sigma Integrated Rule Set (GitHub) | 9d455dd5e2e653e4afbec915a896019f9ca31a26fba6e2ba47b2a380780ed090 | 905 | 13 |
| Schedule REGSVR windows binary | Joe Security | Joe Security Rule Set (GitHub) | c26e0207e75a84b37249afa14659448c57c0203d2220e8049b52775ab00538dc | 885 | 0 |
| Amsi.DLL Loaded Via LOLBIN Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6f788218e57d2939e69140473d30d868ecfc490ccb3caee4be496d022d6bc807 | 883 | 263 |
| Fodhelper UAC Bypass | Joe Security | Joe Security Rule Set (GitHub) | c5017f04443b7c88d4fe320734d24f38108f67663239bc00f5c164081e9b5e0a | 880 | 27 |
| Mimikatz Use | Florian Roth (Nextron Systems), David ANDRE (additional keywords) | Sigma Integrated Rule Set (GitHub) | 62e99f238afed27b43182594e90243db3ec17324c819a349f12ed55c015e5a71 | 880 | 1 |
| Persistence Via New SIP Provider | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffce9ca9bd1660b065199ba140fc11dab25117a4d350b14bcc2553cece9c997b | 880 | 596 |
| Outbound Network Connection To Public IP Via Winlogon | Christopher Peacock @securepeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 030a43138df8f268a688b4d336377f9ae24dca9828eec55a36d20824b6201ae9 | 876 | 0 |
| Suspicious DumpMinitool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5756a38333b7f693b74fb2c16621de4da8e6e821acbb692ada0984c90768ca6b | 869 | 38 |
| Potential Data Stealing Via Chromium Headless Debugging | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 894bc44621968b8ec9fc62b70f7ecf4d2f1e5bf6ff6c9e1c450929a2f2d8cc09 | 865 | 60 |
| Suspicious Manipulation Of Default Accounts Via Net.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4932dce91cb1fcd2986acdfc28c116d5bd4899b8052649b068effd4022c81f8a | 860 | 140 |
| Process Explorer Driver Creation By Non-Sysinternals Binary | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 99c7a3c2ca557dc3ff22980e34539383c6be02b29d75aed44570e5292dfb47cc | 854 | 55 |
| Frat Trojan (Loader detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e5340d719fcf66efd2a0ce9db73895f3154a53e10e72e001760230ca6aa22057 | 849 | 0 |
| File Download Via Bitsadmin To An Uncommon Target Folder | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 26ba1712f407ff4fbcd023c45091ebd8daf92a2befec4d5f1969002f7eeead49 | 846 | 82 |
| Tasks Folder Evasion | Sreeman | Sigma Integrated Rule Set (GitHub) | ab8ea26663a3935bd7f1783455f465a74c106836d5a68c19a61dec68dd2596c0 | 827 | 0 |
| Disable Windows Firewall by Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 2e9f34a4006a3d9169bfe02d2b846c4db28b03c5394e9216e6dac294db0644f8 | 822 | 4 |
| Process Monitor Driver Creation By Non-Sysinternals Binary | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b37461353268b5d8d8a4a0d3ec132773396606b1cc30106f1524817122d6ed5c | 822 | 51 |
| Renamed CreateDump Utility Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ed9dd3a8bde9d3f74318eae5a66dc75d50f12cb32fd6854fb7289d91507b60c9 | 817 | 619 |
| HackTool - CrackMapExec PowerShell Obfuscation | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | c5f36e07dfb01984d08d19db1fe7f194936f079b371ab900d58eff493b972744 | 804 | 76 |
| System Network Connections Discovery - Linux | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | bcce343b1b60fe2c9b0a19e6c49cd613e3cd470f7a5a4dc85811f8188fbdc872 | 802 | 572 |
| Invoke-Obfuscation COMPRESS OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 2cf6294605b971d082366887fa44157d3f99e7552181ee7314a2ba598a2e5d66 | 797 | 1 |
| Security Service Disabled Via Reg.EXE | Florian Roth (Nextron Systems), John Lambert (idea), elhoim | Sigma Integrated Rule Set (GitHub) | 0c3e5c376a4a569ab4a4f3217dd009bb34e695e5fa82da85111db47f2b801bc9 | 793 | 33 |
| Potential Recon Activity Via Nltest.EXE | Craig Young, oscd.community, Georg Lauenstein | Sigma Integrated Rule Set (GitHub) | 1419b2c28c143f7062ef95f941065d5327c65890cab58ade41efd168132d8b3b | 791 | 41 |
| Renamed Rundll32.exe Execution | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9c82223957e793a96ef035ed0c34e45da5cda4718210320cc09615a65b0fb5d1 | 790 | 3 |
| Whoami.EXE Execution With Output Option | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | accf31ff0e1e1b6219d9c964b9ca9832458e71ee32cac96d64cb26de422128f2 | 783 | 126 |
| Office product drops executable at suspicious location | Joe Security | Joe Security Rule Set (GitHub) | e0e4a0d55b1462c34c5c59221f7b9ae4b1625aa019f157ee2d60b21d286df9b5 | 769 | 6 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bf0f7d2a84916abcc597e4a38a6231519b38af0223147ef15e28c7ab83f47c7d | 766 | 205 |
| HH.EXE Network Connections | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4630d11b74b3a0ee68be5cd7788cbf0adc046f1248a513c2971cf8dd4a03835b | 762 | 481 |
| Suspicious Invoke-WebRequest Execution With DirectIP | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fda985869abff56461050c96a2f19a215ac6e3636ad0bb952561118e7989a6f5 | 761 | 99 |
| Service Security Descriptor Tampering Via Sc.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 79b65bcfec60a228ced8c00aa4b8ff786ce017482ff46446e002fd9ea7bdbd00 | 755 | 507 |
| Execute Invoke-command on Remote Host | frack113 | Sigma Integrated Rule Set (GitHub) | 61dae8b0a35fc9369e410406f226b559d6c9cb12837347724e7c4f9281869910 | 751 | 260 |
| CMSTP Execution | Nik Seetharaman | SOC Prime Threat Detection Marketplace | 7d8b8c88008f45dc07b07590cdf039437686d441d35e7204ba91a632ebc9439c | 747 | 31 |
| Allow Service Access Using Security Descriptor Tampering Via Sc.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b2414a4d8972516423f6b63d79b5aaffd883551d5c9ee63294d6395da8f6a88b | 743 | 497 |
| Shell Process Spawned by Java.EXE | Andreas Hunkeler (@Karneades), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 0eced37f0ea111b4f9b0de81cecda56610adc30fad4061274a488187f71b395d | 743 | 127 |
| Suspicious FromBase64String Usage On Gzip Archive - Ps Script | frack113 | Sigma Integrated Rule Set (GitHub) | 4c7e768ac31ad9f19aa32c2c10eb81eb9b6ae9d00129f474125bbfa6e8cf42ae | 743 | 21 |
| Bypass UAC Using Event Viewer | frack113 | Sigma Integrated Rule Set (GitHub) | a0f94cedc18c397f576619978b15265938adc1cba9d431467d50db98d8a79972 | 742 | 4 |
| Potential Mpclient.DLL Sideloading | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 3600236ebf60c82a22ab80d3e53ec7e062aecdf809b0db101631364cbae11df6 | 739 | 0 |
| DNS Query Request By Regsvr32.EXE | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | 047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c | 731 | 164 |
| Suspicious Reg Add Open Command | frack113 | Sigma Integrated Rule Set (GitHub) | 81f2a11aeadd681c5a2bbef5acdebbc356da424e56854a985e3c7eb0aded2fba | 726 | 29 |
| Suspicious Parent Double Extension File Execution | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 00b61d3ad8d5b276f712ce687ea306dc5b640516a51e65fd05ec277c5b979611 | 712 | 15 |
| Copy itself to suspicious location via type command | Joe Security | Joe Security Rule Set (GitHub) | ca9a79f8e23430115778a41aa4671433713b393278e1a60331cbb991a0f30f82 | 711 | 82 |
| Spora Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4dce473be53cdc44d945acff82c6e5ef53b3304748f9aebc8d4f586230520785 | 708 | 172 |
| Domain Trust Discovery Via Dsquery | E.M. Anhaus, Tony Lambert, oscd.community, omkar72 | Sigma Integrated Rule Set (GitHub) | e5bf067d8fc5f77622680e942156a44de63eda6026750ac80c29d0304dca435e | 701 | 0 |
| UAC Bypass via Event Viewer | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c7f53a29488cdfc8b3ab7ecb4699f5c655615954b2d1ff9209e2dba026e30dbc | 697 | 0 |
| Cscript/Wscript Potentially Suspicious Child Process | Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') | Sigma Integrated Rule Set (GitHub) | 1a5f4db4505797dbb968725fb6bf6b357968abf23fbcc6b92acd08a6214e3e4e | 694 | 69 |
| Pyvil RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e1ca1eef7de3f782d09979e606d626e690c8a52046acf75e7a5de3203cd0a570 | 692 | 225 |
| Publisher Attachment File Dropped In Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a8d0cd7feb7b63732f7a4b623d0c83302978e8b31eb15abbd34e71731c438c1c | 689 | 423 |
| Bypass UAC via CMSTP | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | ae5debad574fb4590d5efc9d2e3614bb603a5670f3f9f926a42d2ecbf0de0291 | 687 | 34 |
| Suspicious FromBase64String Usage On Gzip Archive - Process Creation | frack113 | Sigma Integrated Rule Set (GitHub) | 7ba93fc93efb5d8901f3061f6c7f586575a9b70f53e7c4e4241975131258aac9 | 686 | 0 |
| A Rule Has Been Deleted From The Windows Firewall Exception List | frack113 | Sigma Integrated Rule Set (GitHub) | 67a0e8c868b0d9e328cacb80b1deb06682096f1919a50ecd953a8b4cc9a1d01e | 684 | 591 |
| Uncommon New Firewall Rule Added In Windows Firewall Exception List | frack113 | Sigma Integrated Rule Set (GitHub) | 67d7bc69b082fefa483232989806870ecde5e6bcb70d0db262c428e845ce0eff | 684 | 591 |
| Windows Firewall Settings Have Been Changed | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1 | 684 | 591 |
| File Time Attribute Change | Igor Fits, Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | cf228b836870037eda6ce9d429595c3a3c8bb83b64b142fc4dae821bc43b3fd8 | 683 | 438 |
| Suspicious Rundll32 Execution With Image Extension | Hieu Tran | Sigma Integrated Rule Set (GitHub) | 9103c9abde5b20f2b8e59ee53ea823a7c4e9d171c3f07a383b2ee7c0b3f792f6 | 677 | 224 |
| File Download Via Bitsadmin | Michael Haag, FPT.EagleEye | Sigma Integrated Rule Set (GitHub) | aca8c04f52d20c1f8ac7c5fda7686124759166ab9439145354e331faaf792bb9 | 662 | 109 |
| Always Install Elevated MSI Spawned Cmd And Powershell | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | 742d7b1dbef016ab3810ec50354e231948fa035c8cacfec6b18f3a8fba03c2dc | 652 | 188 |
| Potential Suspicious Activity Using SeCEdit | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 49aac70aa91f01a7539b5678a4fd244f32b078c30cec03a7ca460298d59a2a43 | 652 | 234 |
| RDP Sensitive Settings Changed to Zero | Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | e03a36fa82b6ec641fbe51860f9769191f5a8055411effaabb66600f778ef3ee | 646 | 74 |
| Potential Command Line Path Traversal Evasion Attempt | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2a64ca949e5ce433b70a21b4be0e71e5ad0cd2465395fd093410ce2d33177cdc | 645 | 171 |
| Potential Persistence Via Notepad++ Plugins | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1492d5fa8f02d4d7ce8b5c279841da26a3dae0da5562729690d1875944341bc0 | 642 | 324 |
| Remote File Copy | Ömer Günal | Sigma Integrated Rule Set (GitHub) | 1cde4fe7d0cd62ea67b1474e3fd6fe9a6931bd8af934f3a5e9b8c134d90bd7b5 | 642 | 372 |
| PipeMon malware detection (Winnti Group) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7f7471486789b0240cf2b95271088889269baee8e3fb42b0cdb6d71d7d37588d | 641 | 456 |
| Renamed Plink Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0b74fe58c124fa3f0817cadd3efb94d64ded5662336971846facb96d8b01e56a | 641 | 147 |
| Suspicious Characters in CommandLine | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d9898d05ff5a6ca099b0ec5f7aee9f3581d649c0ac4f2cf24f874e95d19d5ac | 638 | 58 |
| Disable Windows Event Logging Via Registry | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7496876fb48565b8278bf669ff38b2846b842f9f663b755f72c105f928ae76c6 | 637 | 45 |
| CoViper Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 156996684d126da245b795581497a973d9061da14c527920068752bc9a466ecd | 629 | 161 |
| Potential Renamed Rundll32 Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6473e93a221b66c30b661dabfde02604f395c46f8e019efe0b3db46cd7dc03e7 | 623 | 145 |
| Add Port Monitor Persistence in Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 8dbe594a0f4eb93aed5bfffd0545b03cb0d8c91d229a169700c0d5a7b140795b | 619 | 293 |
| Windows Defender Threat Detection Disabled - Registry | Ján Trenčanský, frack113, AlertIQ | Sigma Integrated Rule Set (GitHub) | baa17a6a8681c2a3d925f497f9c81458eab98535fd28d8909861aece2b9cb901 | 618 | 9 |
| Automated Collection Command PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | beee5a67cef9cbdfd4d0e1db0dc60dff160df233b0948d9988a2ca819a41727c | 616 | 194 |
| Firewall Rule Modified In The Windows Firewall Exception List | frack113 | Sigma Integrated Rule Set (GitHub) | 1b4845df7f68549988add5335d4685cb047e4eaabd5768d84a5483935b0d5499 | 603 | 522 |
| Change Winevt Channel Access Permission Via Registry | frack113 | Sigma Integrated Rule Set (GitHub) | cf2984facb3af2703a88c05e420505bdaad5887f51fbf32167a0bf5abfcc28bc | 595 | 11 |
| Tap Installer Execution | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | 47fed78a8bb63a7dee467bd25acd7bbfb704d602012f1a2228eb56c9f6760b7a | 591 | 239 |
| XSL Script Execution Via WMIC.EXE | Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | e80db9df819552f83bb1bc542be2503390d7a47f3c26ea4db86797b530411d2c | 591 | 15 |
| BloodHound Collection Files | C.J. May | Sigma Integrated Rule Set (GitHub) | ea90a9d0a5b0365173a60c78d15843211f9bc89dd93a164a6b464b66d82da85c | 583 | 404 |
| Powershell Directory Enumeration | frack113 | Sigma Integrated Rule Set (GitHub) | 7ce2e69836f6ffe690530adb579824031c46a1bee75e6f8dc9ec028fe59c5681 | 582 | 270 |
| Remote File Download using GfxDownloadWrapper.exe | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 16dd4d7c651cd862752fb483a4e7898c821603b1739b7aecb11298a6e931189e | 582 | 582 |
| Powershell Install a DLL in System Directory | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 51fc69e23d6cd3acb20d821dbe95596fb6d8cc314866c51a6a23033b83818ee8 | 577 | 223 |
| Modify Group Policy Settings | frack113 | Sigma Integrated Rule Set (GitHub) | dfec584345112d1012631493a8cdef4a2eb03ea5bd33d360363e24776a148a71 | 573 | 71 |
| Windows Hotfix Updates Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 392fcdac1175baa32b5f9e8899fc0dcd24fb0c6c9390adfd646bd983451e2810 | 572 | 147 |
| Potentially Suspicious Child Process Of Regsvr32 | elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7d605643d3d8c564d51574a154eb77dd6009d4c2a39133d7fe93089f5764286b | 564 | 5 |
| Service Binary in Temp Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 36e24eb60fb7bfe4a61d59d53220df514ceab13a68a4221cf5b7d120d53c4a3e | 564 | 177 |
| Verclsid.exe Runs COM Object | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | 0cc6e99f887ebd84bef65b69e0c64f654364e79f53cf546f89d1507edd3bbb6b | 559 | 204 |
| Change Default File Association To Executable Via Assoc | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7fb55b14b0522200d56a9829ce919bc7a3bb320b473d376575989fde5e57f8d3 | 551 | 0 |
| Malicious Nishang PowerShell Commandlets | Alec Costello | Sigma Integrated Rule Set (GitHub) | b80c35f99523537c476487e505edb0c210eea308fa18707fdcd5aa54d136e3ce | 551 | 72 |
| Potential Privilege Escalation To LOCAL SYSTEM | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7e17cc0d521f2433baf3ca36bf22ec2946bb387a555fee75aff1c992849a2578 | 544 | 44 |
| Potential Ryuk Ransomware Activity | Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 38e5073851afbf6c39ea309703c229e83988c6d3548896a389e9ef8795917947 | 540 | 15 |
| File With Suspicious Extension Downloaded Via Bitsadmin | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6650c06d796cadbfac3560efcd86cb681d552bf6cb9c4d1fa9b6c82b556ae087 | 534 | 71 |
| Suspicious Certutil Command Usage | Florian Roth (Nextron Systems), juju4, keepwatch | Sigma Integrated Rule Set (GitHub) | f1e311405e4ccc1c99ed8213bdc24b813560700daa47ca78033edd0d8993ba04 | 534 | 37 |
| Potentially Suspicious Event Viewer Child Process | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d37f057d76500ae8527178a9ea367395f2bde798f1cd048621be74f915b28aa7 | 533 | 15 |
| Group Membership Reconnaissance Via Whoami.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4a8be8d477a2fbfadd8b27b53ce2a677c2b380814db4dedf6b47a8986fd6a69c | 532 | 125 |
| Suspicious Get Local Groups Information - PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 5ef6bc365a01e6ef90c1fc4f49006e9a8fe08e82c0a9ce80c10153915771547b | 530 | 304 |
| Suspicious Start-Process PassThru | frack113 | Sigma Integrated Rule Set (GitHub) | ce0c4f663ae2b2d04af92c5309f25b12035419b2fc2b6b9c161ab8c7830e3e52 | 526 | 199 |
| Access To Windows Credential History File By Uncommon Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a97837cc5246d1005cb41d097acb5e089b3031009ed77e1792b93102e79c1f03 | 524 | 4 |
| Suspicious RASdial Activity | juju4 | Sigma Integrated Rule Set (GitHub) | c182c186baaff4acc155d390da0732179995f7767ef1710ca041111414a157f6 | 520 | 163 |
| Operation Vicious Panda (COVID-19 Campaign) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cf68f11f087c4b3b504b67cb0a9e4a499e486a6de10aee0811ab515d3336d7f1 | 516 | 25 |
| Renamed Mavinject.EXE Execution | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 7e9ffe282ed5cf9a47857b911d7d92611b0af4f61bfe1bf89131f57080e0100c | 513 | 77 |
| Use of Wfc.exe | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 828fcf5b0d289ec191b7e622d323a6e6def6af24a2d4aa575f7f8543ffd3de0e | 510 | 21 |
| Potential Edputil.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ecb809c2a4f83341a0254cf013ec5faf8d4870c4ad1a2ba5564f248d54621a89 | 507 | 135 |
| Execution of Powershell Script in Public Folder | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2a39a26b108b99d76b325cabad67ed0b401f56104a863ba5158e0d3b889adc0d | 505 | 37 |
| Suspicious PowerShell Invocations - Specific - PowerShell Module | Florian Roth (Nextron Systems), Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 355b439d3a90c89090f6f266afd2306ad6a03e5ca79228ad1be6e9cb6940491b | 504 | 6 |
| Discovery of a System Time | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 18ed38c04ceafb2aa0b9dcb106310ce76cb1473a4109b6a489663f5c250bd2a6 | 502 | 54 |
| Uncommon Outbound Kerberos Connection | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 9c660d5fee16f15f8c327be10917fac3b7275a58ecb9ed73d49e0ac6c35a7df0 | 502 | 11 |
| HackTool Named File Stream Created | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b995506076579a8c1f5b600eca139df5fd016994aab5c3865a4f7f7cd0dc3931 | 501 | 0 |
| Curl Web Request With Potential Custom User-Agent | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 88ff5337fc700aeab5dd5118bce29d1ca0b6108a128d1dfdf3638f38fbcea403 | 499 | 67 |
| MSBuild connects to smtp port | Joe Security | Joe Security Rule Set (GitHub) | 86905c36f5c4e855311f702723eec0c6a4dc9e9992fcec9b2ddcce685b7c2e09 | 499 | 0 |
| Change Default File Association Via Assoc | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 6143134666e4626abac4d906c673c60d7fdb48a48b44f2817af790432cae836f | 496 | 186 |
| Remote Access Tool - RURAT Execution From Unusual Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afdd67de130ff9c5fd2b18ca53480574ad0613d99edb23555df03caaf3cd774b | 491 | 6 |
| SideWinder Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1f154d23ec03058edb48ed3380f862daca50719af728e0660a5dc14a5ab5b867 | 485 | 200 |
| File Download From IP URL Via Curl.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | eb80a13f018daf47775fec9d5aaf6173f1ad3ed6a71702583f0bbb2feabc66f4 | 483 | 11 |
| Outgoing Logon with New Credentials | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 55191fe8fd6505fe4952b024afcf9016670b4fade05502947a91ca4d3558d59d | 471 | 31 |
| Potential Libvlc.DLL Sideloading | X__Junior | Sigma Integrated Rule Set (GitHub) | e154e6fee14ecb972ffc142082d91cd9b413720840d13f7eef05014791a60d1a | 471 | 188 |
| HackTool - SecurityXploded Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b097e888f96f943b0d94d7835326dbbc76b3cf117fd9407832fbace74cb60f48 | 470 | 29 |
| Equation Editor Network Connection | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0418449ae011d99278f952cf0feb26a91074c66d4f9fd7f162f91ae71262c40e | 460 | 0 |
| Tor Client/Browser Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 5e1ab62fc9383aad72ce1011e101e15342e386adc35483e383f335b0e5904f84 | 459 | 55 |
| Powershell Sensitive File Discovery | frack113 | Sigma Integrated Rule Set (GitHub) | a4c59bdaf575107ce23b3c6e62c772eece15e1f61e51a236e70e3b95c48bf0a8 | 455 | 165 |
| Stop Windows Service Via PowerShell Stop-Service | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ad906661229e2ccee26f0fa5a23b6e080c651463299081f5b7a9bdeaa0b4f857 | 452 | 193 |
| LimeRAT | Joe Security | Joe Security Rule Set (GitHub) | 667c9dcf6079fd28997e3e2b10b629c8ddbbd7bdffee1889aef6476277791e13 | 451 | 4 |
| Suspicious PROCEXP152.sys File Created In TMP | xknow (@xknow_infosec), xorxes (@xor_xes) | Sigma Integrated Rule Set (GitHub) | b33ac74e3c46a62df1698c5ebafdc2ab3f5907feff6e6ec1f73d273465b4aa5a | 450 | 9 |
| Potential Credential Dumping Attempt Using New NetworkProvider - REG | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fad33264376c884f3f011141325fcda3eb98e6b4c916520ed6044fa16c571fe9 | 447 | 319 |
| TeamViewer Remote Session | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a8298e7cd8ae07e912b976b51f53ec407301b782a18845c32270523946510c52 | 447 | 311 |
| Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE | Greg (rule) | Sigma Integrated Rule Set (GitHub) | 59b298e2e3b915378e28421e82fd8ba5669ee9eb26f07f878bde7303b4baf016 | 446 | 144 |
| Potential ReflectDebugger Content Execution Via WerFault.EXE | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c39f4f5b97b1b17af1e4ec1d780f8384744cdbdcaf071260d5e9d9c523e6bbb3 | 443 | 385 |
| Suspicious Splwow64 Without Params | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c4e0758476210a09a3e470db05d2cbec0aebd511e48d351685c75970566f894f | 443 | 36 |
| TrustedPath UAC Bypass Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 804e7993351b779b371021d0b762692107233efc595e1171e5f9ebc62b851247 | 440 | 5 |
| RegAsm connects to smtp port | Joe Security | Joe Security Rule Set (GitHub) | 4ff400ac692a7dca2bab429bae7ab6cb7f2bae4525b1ba9420ef0b5137ebf1d2 | 437 | 1 |
| Register DLL with spoofed extension | Joe Security | Joe Security Rule Set (GitHub) | ff70195d476ffa7a3d8e0b1503ffeca1e8707431b00403dfa695732599b571f5 | 431 | 280 |
| Disable power options | Joe Security | Joe Security Rule Set (GitHub) | 57a5517535a56aab78723dc056130f1e0a6659bbc7addedcacecafa9ed499f0a | 421 | 0 |
| Modify Group Policy Settings - ScriptBlockLogging | frack113 | Sigma Integrated Rule Set (GitHub) | 312aebbf9dd01274971762d360bf4d4870a7b7138c7cc149d33a9ba8df72b293 | 420 | 302 |
| Potential Persistence Via Shim Database Modification | frack113 | Sigma Integrated Rule Set (GitHub) | 8c893b41c5a28ef36c6b16d709f057af26436898776837e685d30b93672c2de1 | 418 | 147 |
| HackTool - Rubeus Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 74f9a93f96bad4ba440f105a789ab5905ef284191baa105737e7ac861d13bd44 | 415 | 0 |
| Potentially Suspicious EventLog Recon Activity Using Log Query Utilities | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | df4c82057d61dd45f1a9a17a781614a8918ad397600ddeee25a1615fb75459e8 | 412 | 13 |
| Remote Access Tool Services Have Been Installed - Security | Connor Martin, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4fbc5b70b0ec22886cd8282ca750dcf7f30821364598b9309389ea8b9867450f | 411 | 82 |
| PUA - Advanced IP Scanner Execution | Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | eba28e9e2b6ff9e170e3534ea8b1e863757d5c976a9a84e4bbf5bd6ffeea5325 | 408 | 88 |
| Indirect Command Exectuion via Forfiles | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 21c4db1b5b4f502860c9d961662f1f7daa62cf3e4c4c9712977dae1ad368a19e | 401 | 2 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | 41872a2c86ff9bf310cf8a81b0235040c25793f1fe6255fdc5bf771cd716ddfc | 400 | 324 |
| CMSTP Execution | Nik Seetharaman | SOC Prime Threat Detection Marketplace | 7577d4e0fc2ced5cc24f093d5dca8c02dd117651e5112bee21b6526b7fa34075 | 398 | 3 |
| Suspicious Sysmon as Execution Parent | Florian Roth (Nextron Systems), Tim Shelton (fp werfault) | Sigma Integrated Rule Set (GitHub) | d76c7bc40bb395a6c2bc04fb2518aafb5044409e7d084eab35a00d6514635261 | 396 | 2 |
| User Added to Remote Desktop Users Group | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 04ed3e23df49b07ebec11f2374d1ccce40bc71d867b1f8e29ea40b1b9e878ac3 | 394 | 44 |
| PUA - NSudo Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 813ebaa5c2ede1835703f1defdfeae762f95ae97f36a5ee2da94b4b2b0877e5a | 393 | 5 |
| Suspicious Printer Driver Empty Manufacturer | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 69f693a2bf7b4c283ad2afbd17043a7a25fd7596d7f26f5f77436d56ba9529e8 | 392 | 202 |
| PUA - AdvancedRun Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1acf8a5bd4b9da5f502c337d49e41685a8b09ec964d979cda876f038871b43fa | 391 | 21 |
| Xwizard DLL Sideloading | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 96b3df20cf0336e4751b0a85d9786ada6ce7185e05988a511f646967e712cc1d | 386 | 8 |
| Powershell LocalAccount Manipulation | frack113 | Sigma Integrated Rule Set (GitHub) | b3caa02d87fceb141c3eb2e3715d1290976d6fdb56070c03362cd1fb6808f95d | 383 | 169 |
| Remote Access Tool - UltraViewer Execution | frack113 | Sigma Integrated Rule Set (GitHub) | e5a4bf7a1c38d3917af9af6ae6ee7c2038a1ad6450721694cc741d2410b05834 | 380 | 171 |
| New ODBC Driver Registered | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a5902259c1aea8cf86393e1e31b5bbe43caabcb3df6b2f410176d1b2c8ac6cab | 379 | 281 |
| Suspicious Download From File-Sharing Website Via Bitsadmin | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 54145fc7feb54b73cba1cc24c4cd84fd7f99ba4e75cc334003bc39785217bc30 | 379 | 64 |
| Gatekeeper Bypass via Xattr | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 7f400a75c32e600540f4565bd2cb4099e67aab98f70299b5fe20136c9bc9f13b | 377 | 332 |
| Disable Administrative Share Creation at Startup | frack113 | Sigma Integrated Rule Set (GitHub) | 529a42d20f26a0247c669d877e7a0260adfafaaf2627c9f33ad4d8b571e8d20a | 372 | 5 |
| Renamed Remote Utilities RAT (RURAT) Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a7d9d6781e1b1a5c65f3603e5aa6e2da23879bb16ea543f313a3d39f5d7949a8 | 370 | 12 |
| Trust Access Disable For VBApplications | Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 262bfe67aaa5a8f3edc4f148e59a0ee2c9aab2cdd6e1833ff3cac93540de2c0a | 369 | 11 |
| Windows Defender Threat Detected | Ján Trenčanský | Sigma Integrated Rule Set (GitHub) | cf90b923dcb2c8192e6651425886607684aac6680bf25b20c39ae3f8743aebf1 | 369 | 324 |
| Powershell Exfiltration Over SMTP | frack113 | Sigma Integrated Rule Set (GitHub) | b09b9f74febb3e25b3de69614b6193a2740c00fe9e7ccf5e62f503de56c5c1bf | 368 | 229 |
| Office product drops script at suspicious location | Joe Security | Joe Security Rule Set (GitHub) | 67124e7349285a993dc331738db576ef56c6cb9724bf1cea7695561498a0fb35 | 367 | 46 |
| Rhadamanthys Stealer Module Launch Via Rundll32.EXE | TropChaud | Sigma Integrated Rule Set (GitHub) | de0e634fa9106c661586ec7674b77259237dd3f5bd92358ce52a278d05072e99 | 364 | 2 |
| Clear PowerShell History - PowerShell | Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 75df0b220ddaf477070a84227ba8e5430f5d4bbcfdfe1ad41ca6da62894c03ed | 362 | 97 |
| System Scripts Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | e508e0cd0078f2c99fa9a87448bebda5652165ba069b1c9c4a89ecc4a2b385ca | 357 | 0 |
| Potential PlugX Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 660cdd939969505754f58fd81c22dc2f313f6b7a8fcfcc55f0a45d62d879734f | 347 | 11 |
| Squirrel Lolbin | Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 556a1aa7c513ecf9a4f6edfb0176deb074a2cf1447650e01766fe9efee338c35 | 345 | 220 |
| UAC Bypass With Fake DLL | oscd.community, Dmitry Uchakin | Sigma Integrated Rule Set (GitHub) | f7b3aa6e9bcd6bb0bf047e633bb513434546a05f9322c433f8df8c2355115339 | 345 | 142 |
| Writing Of Malicious Files To The Fonts Folder | Sreeman | Sigma Integrated Rule Set (GitHub) | 50cc064f594178311fd316bf296afdcb85c962c45cbc15ab0984ca5de2940d67 | 345 | 3 |
| WannaCry Ransomware Activity | Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | b8a9a3d755cac11238eb37aa06d27255714356075872c2e2e140acfb3e8ab8b0 | 343 | 3 |
| Data Copied To Clipboard Via Clip.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | d1138c20627ece208ac948647342866415641b06510830449eb2bf7d2f32e4af | 342 | 61 |
| Connection Initiated Via Certutil.EXE | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80b6e3dc8d08ed8e3d4ef52e59af689b5f0215b08d92b3fce2310539c37b6b31 | 341 | 55 |
| Sapphire Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | af5ee1ff302412603f190ad74d459219970f99e1b5a92d952a2e953f522b38c3 | 340 | 0 |
| Glupteba malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f75c71f7be8a63670e0c606b582900d5a921916b46408da383beb0786cb5588f | 336 | 1 |
| Potential Tampering With RDP Related Registry Keys Via Reg.EXE | pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport | Sigma Integrated Rule Set (GitHub) | e56cee5542b4c0d63057ea40087d4adf80e75c85d61d4c444e7b3f9b64a62cd5 | 333 | 87 |
| Suspicious Interactive PowerShell as SYSTEM | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f8335c66f6b8aed850de5246bacec6f1eee18e5549c581e9892827d840e5720a | 333 | 3 |
| Active Directory Computers Enumeration With Get-AdComputer | frack113 | Sigma Integrated Rule Set (GitHub) | 37b6b961c7d630d66ed7dffc1fa2aae8811008a45bb73eadb3a78bd34a309c6b | 331 | 212 |
| Exports Registry Key To a File | Oddvar Moe, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | a5e61828c15a99ec1e32a76e1f2d9bca2eba0d5d62d10197c69a8988b85c445a | 331 | 104 |
| Renamed Vmnat.exe Execution | elhoim | Sigma Integrated Rule Set (GitHub) | a94bce44672eb0c1fb09c1cec60477d64a82eb540559b6577c4370d99fbb38ee | 331 | 6 |
| Suspicious Execution Location Of Wermgr.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83b8f87b02d40783b017b20b24c9d622b8aa76ca308e3f4219d233beabd20b07 | 331 | 19 |
| Suspicious Binary Writes Via AnyDesk | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e63c082925104de00901f48dacf129e0a824bbe55c24ed90ba31d4e82c44f216 | 329 | 6 |
| Atbroker Registry Change | Mateusz Wydra, oscd.community | Sigma Integrated Rule Set (GitHub) | 15ae81a84c9a92e5ffb3bc1c4cecc28883ece49fc1ceef55d745ac094ece0622 | 328 | 195 |
| Suspicious Connection to Remote Account | frack113 | Sigma Integrated Rule Set (GitHub) | 71f9611fe50b2788a25e6b1c3fb3d035c5e04dfe73447ed185bfde157084fc72 | 327 | 160 |
| Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded | Perez Diego (@darkquassar), oscd.community, Ecco | Sigma Integrated Rule Set (GitHub) | 3be9b8df84e3f6ada915083f86f0f6325f5e3243c3d383f8bf5413b9388ae350 | 326 | 117 |
| HackTool - winPEAS Execution | Georg Lauenstein (sure[secure]) | Sigma Integrated Rule Set (GitHub) | bdf9a7887267777773c9949f494e9799efef1be392343e309b16334f10b7bd66 | 322 | 14 |
| PUA - AdvancedRun Suspicious Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 75719e469ef20b32e309a7f6531a0e2548349e059e4c4d943740490e0dd8f526 | 320 | 0 |
| Hypervisor Enforced Code Integrity Disabled | Nasreddine Bencherchali (Nextron Systems), Anish Bogati | Sigma Integrated Rule Set (GitHub) | d7747cd9601aab6c6a1df6e7b6a31da269e383405a5100fb533784f3e7a52085 | 316 | 18 |
| Microsoft Binary Suspicious Communication Endpoint | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d01338d0a87197c0e5132ec7b920332c01f5c9e8218c727591d81888d10a9754 | 312 | 0 |
| PowerShell Script Change Permission Via Set-Acl - PsScript | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 30f46284fa7f3fb0c36a6eea80464adf534469d7973d103ba867d6a004a5ce53 | 312 | 144 |
| Potential Attachment Manager Settings Associations Tamper | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | beea9838b890b61ccab05d6321880b112538b784e3caf82454293c4c087caadb | 310 | 2 |
| A Member Was Removed From a Security-Enabled Global Group | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 1d6eea9825839d71a79ed93bd0f383b8826d8a1ca80c0d063e7f43e648b2d67c | 308 | 62 |
| Crontab Enumeration | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 23f3512bc30a856ca1f3906b9e52716a70df17c2083065536ac9ea6176aaf3ba | 308 | 46 |
| Suspicious XOR Encoded PowerShell Command | Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 312888984ff0222cd7bd45936afd14feea146948ac0e6941f3e0513e56d51e65 | 307 | 0 |
| Suspicious Unattend.xml File Access | frack113 | Sigma Integrated Rule Set (GitHub) | ab4f3a9eb0931d1b25be0e6ec70048514d987acda1b98b078b334de53d084360 | 301 | 61 |
| Potential Rundll32 Execution With DLL Stored In ADS | Harjot Singh, '@cyb3rjy0t' | Sigma Integrated Rule Set (GitHub) | 115d14851bb2ec7497bd4b28be653bf38f285d93d2dc7bbe1c9c7ac94a76da3f | 300 | 99 |
| Suspicious PowerShell IEX Execution Patterns | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9cede5a1c6382a5e4dd57d439fbcb57f927088bb5c3e1d4019c03562c3b4f9e5 | 298 | 26 |
| PDQ Deploy Remote Adminstartion Tool Execution | frack113 | Sigma Integrated Rule Set (GitHub) | d4455289124296f34e652e21b22099e2dbeb914261581fba842def35d85a6d92 | 295 | 279 |
| PowerShell Remote Session Creation | frack113 | Sigma Integrated Rule Set (GitHub) | 2edbd80b280a70f7636ca307800e2c61b25d829eca7c992125bf15782e91f688 | 295 | 166 |
| Decode Base64 Encoded Text | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 0f307ac40cafbbdb1e262b899732195a25952ad5bb013ca8e6d280eefd45a141 | 294 | 59 |
| Suspicious Processes Spawned by Java.EXE | Andreas Hunkeler (@Karneades), Florian Roth | Sigma Integrated Rule Set (GitHub) | 0119b24f133d3f3142f84b35c30b7b1c417c4418f4d18098200208947ac5d041 | 294 | 89 |
| Register Jar In Run Key | Joe Security | Joe Security Rule Set (GitHub) | a251b526d9024ed7f489fe7b9c2182080e067f2d35068063c5fd326283d9b1ba | 293 | 1 |
| PUA - Netcat Suspicious Execution | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 358a95254318aa55ff499eb64277dff47957ac37c6370873673433bd55e77cf8 | 292 | 12 |
| Potential PowerShell Execution Policy Tampering | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 49b185e25e68c30cebd01a44e72bda0c359c132bb364ef487a935de293813a78 | 292 | 90 |
| Suspicious PowerShell Download - PoshModule | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 69130b2eb287f08303a7092222cc3a0be896a066b64f8b32f96d08ff4708e37f | 291 | 5 |
| Windows Defender Real-Time Protection Disabled | AlertIQ | Sigma Integrated Rule Set (GitHub) | 19a5c3cad343931aed1e013cfe07ab95ba7b853ee5b40c6828fc766529e602bf | 290 | 3 |
| Buffer Overflow Attempts | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ad1714ed24aec2fa28551a247a666369e496ada2acb48b02b3b266083d75e6b1 | 289 | 182 |
| Outbound RDP Connections Over Non-Standard Tools | Markus Neis | Sigma Integrated Rule Set (GitHub) | dbfca88ab9ee6831be6d244ddd8d59d64840215c6266895aed60b0192f60f226 | 288 | 3 |
| UAC Bypass Using PkgMgr and DISM | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5b0ad2dce2b0a9bde121d5016b3379c08f507ccce3f43e43a65fe518a16ba50c | 285 | 30 |
| Suspicious Curl File Upload - Linux | Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) | Sigma Integrated Rule Set (GitHub) | 53df4e098ad6e906fbb05243a95d838a673d2ba830a6c9ee0cabeac59d2f9a9d | 284 | 235 |
| CoViper Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c388ee7bf8678acd149ab04cc3dc6f3d923b3c2a7684f42de0c984c16de1c023 | 281 | 3 |
| Manipulation of User Computer or Group Security Principals Across AD | frack113 | Sigma Integrated Rule Set (GitHub) | 080f39fb13644d7055303fabf2a4ace323c7ca1c92ffe33c37a94ed397cecedd | 280 | 74 |
| Potential Persistence Via MyComputer Registry Keys | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f776409e7a0ad2cd5dbb2241bddedc4d94cffb55043ccb0254fd7266f7f10720 | 277 | 112 |
| Bladabindi backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 21b5ec718fa5dffa5785f1bdf68d0bab711e89bf6d4613aab3af0c7d0acdbd0a | 276 | 0 |
| Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE | jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 396c0639fa0d38dbd62b1c1baa0fae0b008178fb81dfebaf1cc70a858c610190 | 275 | 126 |
| Search for Antivirus process | Joe Security | Joe Security Rule Set (GitHub) | b0b2b7f76cb8009a5eba92496814aadf2b2a17d8f5ffdc4169a2a8a8b6335ee7 | 272 | 22 |
| PowerView PowerShell Cmdlets - ScriptBlock | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | c9a0fa3e3f43c8762528ddcca56a26673a3f37eb9077f2657884e8b847fb9ba8 | 271 | 85 |
| Potential Invoke-Mimikatz PowerShell Script | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | eea4b79cda06d89aedf4a8bef48f151e04c00dcefd21c9b9c8dcb3d1457b226a | 269 | 6 |
| Suspicious Activity in Shell Commands | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9f38dd0d0f681b4185f6a6008d3904a10d8e2fe4e9dcf5aaba007262f1230dcb | 269 | 13 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a4380ca308017f92e049147ec46e562ab46b9642b1952944647bb9bf85e4c95d | 266 | 18 |
| Suspicious Schtasks Execution AppData Folder | pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a09b70879bee26f128e93430015539e1b08567dd211bd7411ff6e600ed8d5f6b | 266 | 58 |
| Remote Access Tool - ScreenConnect Remote Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 170e0c16739cbbdcf75e4053e9fa80a10dbe8a05bdeb1d83020ad37566d796b9 | 264 | 4 |
| AddinUtil.EXE Execution From Uncommon Directory | Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) | Sigma Integrated Rule Set (GitHub) | 28cd83ce12bf7ac57977773f55d7b8b368541555cc375faa0ba5968fd2d99a60 | 263 | 8 |
| Nltest.EXE Execution | Arun Chauhan | Sigma Integrated Rule Set (GitHub) | 03ddbba7f8c72cbe2e0de21552f7f8f8a101955c12556c2bdb06219c0c968836 | 263 | 141 |
| Run temp file via regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | c70694dd88c0a5a32ad8a52ef4ad97a6525c281308ba84e791661580aab19264 | 260 | 31 |
| Suspicious GPO Discovery With Get-GPO | frack113 | Sigma Integrated Rule Set (GitHub) | 039172cd0dec626a7758aecf1db76255b8994bc61501f3a732abb90dc4e88560 | 259 | 111 |
| Linux Crypto Mining Indicators | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a54f90d76f6357c3494a27966d9ddc15850d9dd07fd3848ac2a031ac149bec1a | 258 | 4 |
| Suspicious WebDav Client Execution Via Rundll32.EXE | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a2c6a7629f2d0d6b18c2ce3cddbee5522cbf1f3e6e8bcf0692c9e9393724ebaf | 256 | 16 |
| Uninstall Sysinternals Sysmon | frack113 | Sigma Integrated Rule Set (GitHub) | 422a2d0c4ea81e0f14306603309b37fedea591abe396235a46638eedb3aa069a | 256 | 4 |
| Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 44eceb73238948cbe65640378028a4f9d3a835bd2929cd4b8462e465a825c85d | 254 | 38 |
| Check external IP via Powershell | Joe Security | Joe Security Rule Set (GitHub) | 4b3ac3a4fac3672c92791075c26f1e10555eb3385628b923bccd8cbbd5dc83a1 | 252 | 42 |
| WebDav Client Execution Via Rundll32.EXE | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 27f312fa081c26ea0c76a26a31e9c6fe7a974b36000c89db9e288fd1ca3a6e9e | 252 | 98 |
| Suspicious Scheduled Task Name As GUID | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef39cf85c48f12af91e233355369755a0620b84ae2ffacce7f740a2b429531d1 | 251 | 3 |
| Potential 7za.DLL Sideloading | X__Junior | Sigma Integrated Rule Set (GitHub) | aec40a5dfd8adbf624b6c870c2aaa6c94cbc9435be56b32bfce0204180123841 | 249 | 170 |
| Csc.EXE Execution Form Potentially Suspicious Parent | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0e07fc365ce0d0690c84a20e3467a5be2301d1c4de1e87bcbb9cb9ea841222c | 246 | 14 |
| Whoami.EXE Execution From Privileged Process | Florian Roth (Nextron Systems), Teymur Kheirkhabarov | Sigma Integrated Rule Set (GitHub) | f3863a9acecacb856747d09b6541ff99d6245853902c8785a4d4985fde12bf22 | 246 | 17 |
| Bash Interactive Shell | @d4ns4n_ | Sigma Integrated Rule Set (GitHub) | f79f3c90ed2814f8c1329307fde553431e9978c1fb579ef0824abb01a64310bf | 241 | 117 |
| Potential Raspberry Robin Dot Ending File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 36337e6a48c8f0ee0480d1739b35c93b2d000d9b86a4ac01dbf80b5960b6db32 | 236 | 84 |
| Schedule CERTUTIL windows binary | Joe Security | Joe Security Rule Set (GitHub) | 5afe0a8f1f7fbc102dbeb6382c6e3e9702f05c872dee6c8309d805831b7dbbe2 | 236 | 0 |
| Use of Pcalua For Execution | Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 15a88fc8b846a774c398a2350aba9d8b4203f0cbb095abb4035f8f0e2c3ca2d5 | 236 | 7 |
| WMIC Remote Command Execution | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a72068f1e78b9563b352425ce5dd77aeaebcabfd4790a51a78cfd11d07e016a8 | 236 | 32 |
| Suspicious exeplorer.exe execution | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 2f0a10e6befc35eb8cf3d8af89b1db1a84a53b5aff114a90c2d1b0a3a697d1ac | 235 | 26 |
| Clearing Windows Console History | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 30041403950554ea68cae8436931add62874ca499364d423bd04a8ccb124d999 | 232 | 63 |
| Cred Dump Tools Dropped Files | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 45248d2871f8e9f12191effed010f35a307cc4e1eb1350ad7dd486fc07bc0bdb | 232 | 33 |
| Suspicious Service Installed | xknow (@xknow_infosec), xorxes (@xor_xes) | Sigma Integrated Rule Set (GitHub) | 7cbbf00cea5dc446cd78a75bf887ac0cc4816a0c14fb2fc31cb6c2e5043641e3 | 231 | 8 |
| Suspicious Office Token Search Via CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d914cc65d6c2c6363da71b09c2053c49031ad5dd7762f7e08df307adf0892f8f | 228 | 109 |
| PowerShell Base64 Encoded WMI Classes | Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d5a6acf8297313dfc47ed41e174ccbdcf2ac0a174e059a599f880ad761dfe89 | 226 | 1 |
| Psexec Execution | omkar72 | Sigma Integrated Rule Set (GitHub) | 38908b57fac2bfb8f5f8466c64aa654432aa3d6f14700b122a4c4afb85f51879 | 226 | 3 |
| Renamed CURL.EXE Execution | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e90bd630609a035372a71ff4471ee3d2e99ffb6464b8370ef394ea1a4d2c36f9 | 226 | 11 |
| Suspicious HH.EXE Execution | Maxim Pavlunin | Sigma Integrated Rule Set (GitHub) | f011f2d580ad7a21cd2da8b72d5734b707147be0ec1270fb20fc1aa455fd4d89 | 226 | 11 |
| DarkGate - Autoit3.EXE Execution Parameters | Micah Babinski | Sigma Integrated Rule Set (GitHub) | 9d3ba304b0b049fd4dd6a95685a9801b6cc9da0ac7837b8c106f010aa4f79723 | 225 | 10 |
| Detect Virtualbox Driver Installation OR Starting Of VMs | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 3cbde0faee76f7509cfde702c1c324a83ac88cb58f0e0f74b2682a9b60369b1e | 224 | 77 |
| WinDivert Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b7ad594d8528d4ee4c0201b1a0852d42e9fc45976e984ed534f502290031e73a | 224 | 50 |
| PUA - Process Hacker Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0d1bb8b34cc8998b5c64517d209194141fc1ade58d04a41bb18fd11be56edfc | 223 | 0 |
| PoetRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9d199db1a634577d3f5cc20a856125c4d011cf3785ae959ddad5ca77431d81a2 | 223 | 0 |
| DUNIHI Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f4f15f4329fad912838474d3d5eb2925ae7045b2046b5dcf92c7c16c189927b5 | 220 | 0 |
| Indicator Removal on Host - Clear Mac System Logs | remotephone, oscd.community | Sigma Integrated Rule Set (GitHub) | adfe5f99b6a812a149fe86b53528239d9e7938e56d2864d1403950040a11e57b | 220 | 94 |
| PUA - Fast Reverse Proxy (FRP) Execution | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 2efa94e8cb6d016973ddbda2ca94b9db0d935bf31c7d4ede736b02e9d8ed25aa | 220 | 0 |
| TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 97f6a22231c4c8e243c104bf226d8fd3875f335f00fc724750e6b691770fbc5a | 220 | 122 |
| PUA - Rclone Execution | Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group | Sigma Integrated Rule Set (GitHub) | d682d09d3c15912248f0f367d755338bbf871b25380f62525ba288c8bf90689e | 219 | 110 |
| Potentially Suspicious Child Process Of ClickOnce Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 920fe62cf594dbba4b9849105e6af672ef9c197f7184586a009e3195bdd1c925 | 218 | 40 |
| Suspicious Download Via Certutil.EXE | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 58420e39c1212a7677f357957516cbc90081f03f0eff5a93e3fa8476eefebfcf | 217 | 21 |
| Dism Remove Online Package | frack113 | Sigma Integrated Rule Set (GitHub) | 835544e76c588c424d064ff04c81b644c875fe6499d31ecb188d5e3e59f4e72d | 216 | 91 |
| HackTool - Certify Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1feb34fc6cb1b6cc6e7f79cf3437684366634b5dbbdfd6e053e0f07cdecdd327 | 216 | 66 |
| Suspicious GUP Usage | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e52de558a2f45ea0c3633bf97f5181779246c0964d7003bd012f344221f012ba | 216 | 13 |
| RDP Sensitive Settings Changed | Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | e6aa587c97733e016f1b4f6f624300aedfd416066f9b69512bd9ab43d8b81d61 | 215 | 21 |
| Suspicious Curl Change User Agents | frack113 | Sigma Integrated Rule Set (GitHub) | 93f12e3e5c1af45ad5cce51fca771889beae9d1da27d23d889c557f217fc803f | 212 | 6 |
| Suspicious Epmap Connection | frack113, Tim Shelton (fps) | Sigma Integrated Rule Set (GitHub) | f7111a6bcb3ca53bd2233e4c87e194a56653dc72a81d92c78e707b7348c4f241 | 212 | 12 |
| LOLBIN Execution Of The FTP.EXE Binary | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | 89f260c1bb244a6c153a5d3a5951ec6f517e5e846823da8b22d1b5192f798e62 | 209 | 31 |
| Netsh Allow Group Policy on Microsoft Defender Firewall | frack113 | Sigma Integrated Rule Set (GitHub) | 631a83ba9daa9bb7ff02be55784068db1eeaa6935ea10809a1b8a8cf4ce2abd3 | 209 | 45 |
| InfDefaultInstall.exe .inf Execution | frack113 | Sigma Integrated Rule Set (GitHub) | f6602c9cc48a37aa44fbfc4ffe4560e8f37e1934e365a235af4ae61c9571ded1 | 208 | 27 |
| Service StartupType Change Via PowerShell Set-Service | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a1369ba6b294845b80eaa8e066a683a25e6d2cd458f78a519a4aa7cea4b3fba1 | 208 | 66 |
| EQNEDT32.EXE connecting to internet | Joe Security | Joe Security Rule Set (GitHub) | 3b421cd3a4401c0dfc3d2c5613d705669e2bdcf8d998c4e363d2e1e5cbd328d4 | 206 | 0 |
| HackTool - Koadic Execution | wagga, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | c5d484cc0502bed15307c6bcc483ba03518aaa99ca3cca09b01da3ea57317777 | 206 | 6 |
| Suspicious Microsoft OneNote Child Process | Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | c2b8793bc5dc3f78c117608b17e59499e853d298dba8c03f56b4bbcd6d0c0f16 | 206 | 2 |
| Set custom UserAgent and download file via Powershell | Joe Security | Joe Security Rule Set (GitHub) | e582e78adeafd207d6a2f3d950ffcb4127273371fb705b3ef4b6930eb5bb79d5 | 204 | 1 |
| credwiz.exe DLL side loading | Den Iuzvyk | SOC Prime Threat Detection Marketplace | d83f2abd95409ecc8fb4d4930072a48b4a677def3d31b022a95e99d5873fc27a | 204 | 41 |
| Copy From Or To Admin Share Or Sysvol Folder | Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3 | 203 | 35 |
| PUA - System Informer Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a00758f1aca02cbafe08dfea3c9d6fc45ef3972d7e1ccc41ef3df19293c36d15 | 203 | 21 |
| EVTX Created In Uncommon Location | D3F7A5105 | Sigma Integrated Rule Set (GitHub) | be104b5c33d23ea5b193fa207267ec1f1058e6a2096a14b67fc5c957fdb94b85 | 201 | 108 |
| Valak Behavior (Sysmon and Cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7703b5b01adde91ddc9f6ec5a2ba30dd35be11277cad519ecdf5442a8358319f | 200 | 37 |
| Compressed File Extraction Via Tar.EXE | AdmU3 | Sigma Integrated Rule Set (GitHub) | b0ed746e9cd2eab869bddc4a8122b28ee59bdf9fb2bedec78463b8df812919f3 | 197 | 91 |
| Payload Decoded and Decrypted via Built-in Utilities | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 8df9869d57c609e184a4e1d02d938d96351116a7e5fe08436fb539b7cb675267 | 196 | 0 |
| Disable Or Stop Services | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0aefa5af3ce18645188a34cbad40ebfc008ebab07e5d5404a636792bb7023634 | 195 | 101 |
| Suspicious Download From Direct IP Via Bitsadmin | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 341222e0eba20f3fbf807a78669d6bd5ab3f6245589b85086cece2a9518283ca | 195 | 19 |
| Change User Agents with WebRequest | frack113 | Sigma Integrated Rule Set (GitHub) | 024c79f380ec5ead6ad1ccc07deb79a5a281021a443831220b62f700f9cfe3d5 | 194 | 85 |
| Suspicious Process By Web Server Process | Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ca0321ec695742141eb7a3fb00dfc04170d24e00d3f021803c488451d9c4648f | 194 | 3 |
| Schedule script from internet via mshta | Joe Security | Joe Security Rule Set (GitHub) | a3c2a24a999f3a9870f6ace27e73e7bdf30d18dcf0bc4873bfe196f5bec81ad4 | 193 | 0 |
| Suspicious Obfuscated PowerShell Code | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d8233999a8d30f6ee903ed094bc3c6fe4008a4be43a580311a9d379867e54538 | 193 | 10 |
| Persistence Via TypedPaths - CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3f78ff7ab6850cb34de03f0d9dd46de9ae0b96b1eeb140dcda89aabc2b7462a0 | 192 | 55 |
| Suspicious Creation with Colorcpl | frack113 | Sigma Integrated Rule Set (GitHub) | 4a29af926d08877fafd396f3d616bf6c90064503754db0460c36b7c0dd99dbbc | 192 | 6 |
| Clear Linux Logs | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | 4a4b8d80ea9937a6728e92b1079891255ed26e302f37e290db84bbaffc71c386 | 189 | 63 |
| PowerShell Base64 Encoded IEX Cmdlet | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6011c0e706a0ea8a69892186b9808f52466832e2c60ea353b876a15100a2c891 | 189 | 0 |
| Shedule hidden powershell script | Joe Security | Joe Security Rule Set (GitHub) | 9277300d8dfe7cfc29e41129553c4d7c59c4b709d4b1716c8fe9cc037c9bc29d | 189 | 13 |
| Disable PUA Protection on Windows Defender | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 09a64c87ba1b11c75a19c495d100b0ef9fa95955560f0e1b4f9f2842159caaef | 188 | 1 |
| Renamed Whoami Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f22be736aa7b4ddd0d6ce96e785fbb7adbcb991517763b72a098333df9610f14 | 188 | 4 |
| Possible Process Enumeration (Sysmon/Windows Logs). | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 1b3947466060dff55a89da9e24ec34cca8df9c4dbf704a3b3a9120eb3df96e3a | 187 | 120 |
| PowerShell Hotfix Enumeration | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6715493a73f1ae31ce901cd48d6907aafa006d047fa07301d790319a8ff89813 | 187 | 123 |
| CrashControl CrashDump Disabled | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | de530c1426a408ae40cc5a51e752587348efab456b3dcc12204b8c47a389eb83 | 182 | 7 |
| msiexec download and execute | Joe Security | Joe Security Rule Set (GitHub) | 80df93b91d026bd6faf3f28497aecc8b5a81a6553fe9336a204b11f4dcef8733 | 182 | 1 |
| Root Certificate Installed - PowerShell | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 0226d2c44e3b81cd4d31e7a8e55f6a3e3835b44939f721d5527b610071ebf40b | 180 | 81 |
| PowerShell Create Local User | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 065b49beca5cc42953a5612a7a5342fd18266f128a46b1a788c3f358f775a191 | 179 | 46 |
| Uncommon Extension Shim Database Installation Via Sdbinst.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 813f8997c08df471ef89b590a0967a9068aaf4baa601376fcc7dc9060d98dfb0 | 179 | 84 |
| Persistence Via Sudoers Files | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f8ee3ba4187b3d0d1e52e0c2db8dd9b1bca93d09c84da45024fc646b37179ae9 | 178 | 6 |
| Uncommon Child Processes Of SndVol.exe | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae29aa8c58d6f592b709707a80042a957eb54a89d6411f1fe9b6bf12bd4f225c | 178 | 0 |
| PUA - Seatbelt Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c38f8f9eadbe19471d3a16edc3057b1660a29e4b74e90fb2ff929df10c440a40 | 177 | 2 |
| RDP Connection Allowed Via Netsh.EXE | Sander Wiebing | Sigma Integrated Rule Set (GitHub) | 0edbdff715350e06427add8d168d0d14de79ec048ea17f4a243589e2ccdc63df | 176 | 18 |
| Saefko RAT (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e036021928c6159521691ec6551a2b2c660a651ff2c69171bb3db4fc676b2e17 | 176 | 0 |
| Potential Powershell ReverseShell Connection | FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b46ecd9aa9660208e7f7cbb3e4ad79d7fc469adb5c2c5dc81af712ebce9b80c | 175 | 14 |
| New Process Created Via Wmic.EXE | Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community | Sigma Integrated Rule Set (GitHub) | 29ea4c436137aafe4f4ab08ff716f2a03e416beb0802c5a009cfb266b5d948c6 | 174 | 4 |
| Obfuscated IP Download Activity | Florian Roth (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffc754712d43996d8ad6fc8498ab7057e29da0a46860be0cb0daab6dd58f1afc | 174 | 29 |
| Odbcconf.EXE Suspicious DLL Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 16ea31e234af1f8991ca97669b5681616ecdd409eacb4c3b0b4e2cc3febfd702 | 174 | 40 |
| Potential Persistence Attempt Via Existing Service Tampering | Sreeman | Sigma Integrated Rule Set (GitHub) | 01b2124bf0e9019139ef617d15b67080610ffd3584d4fa0cf7c646bd3f11853b | 174 | 37 |
| AADInternals PowerShell Cmdlets Execution - PsScript | Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6d5567356ba0845cc4858843f110d6459b2d79576a5e0139dd7b2218b9f556e8 | 173 | 165 |
| Disabled Windows Defender Eventlog | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d8e5c8a4902824901a6b91baa07694ac8ea9e13689cebd342572a8b546bad5bc | 173 | 3 |
| Remove Scheduled Cron Task/Job | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a0e343af9ac4b19a8ff9f0cd81d30a29e473fb0938c05d141f74e93d6b7d8f83 | 173 | 12 |
| Winlogon Helper DLL | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 071f1cce27ada52da178afa07fd609ed14967f9058b386611411962f4c56b665 | 173 | 84 |
| Network Connection Initiated To Mega.nz | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f13e798225ef1d32c44d8511ab7c95a58e93d46b8c833bfb47f55eb5d9bb69e2 | 172 | 39 |
| Suspicious Child Process Of Wermgr.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 656aa4cd1d10955cd1240f1e010961aaeabc323850ef28dcdecc9f334ffabd54 | 172 | 1 |
| Potential DLL Sideloading Via ClassicExplorer32.dll | frack113 | Sigma Integrated Rule Set (GitHub) | 8fd7600f68e8c01123815959e3b174b06eb3794d62cb511c05e49548a44bebf2 | 170 | 39 |
| Use of Remote.exe | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 598030e3b99748bb98e1a8c78a24023b80499c1526fd7b7719b5265a781b5402 | 170 | 56 |
| Compress Data and Lock With Password for Exfiltration With 7-ZIP | frack113 | Sigma Integrated Rule Set (GitHub) | 227d06b807fcca01531502ab9bf3471b44a2e7db88394d5d03f7e07a11adc2e3 | 169 | 85 |
| Code Injection by ld.so Preload | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef655b20c81f4dddb081e2c7fe6c60ee0ea86d7e37cdf55fe02cd0c8586de4d1 | 168 | 18 |
| PsExec Service Execution | Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6ce71be75a7090fc85bf7d41e3b363a7a4dce58549844db0c3e5d9d3b32a3e0e | 168 | 8 |
| Password Provided In Command Line Of Net.EXE | Tim Shelton (HAWK.IO) | Sigma Integrated Rule Set (GitHub) | 356834a41f1b8ed94c954435f27d64f970ba67b17ac5474ddb8357cfbb8de8d8 | 167 | 55 |
| Potential Suspicious Mofcomp Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 890b5bcddab8d41ea499e521d3dabfb62f66e175c7e5968407080b5c7a4f2aa8 | 167 | 100 |
| Base64 MZ Header In CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 754e38d8c28a41c5d8fab94446819cba31374961a938b11c2766647ee5dda64c | 166 | 7 |
| Potentially Suspicious Shell Script Creation in Profile Folder | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 75fbf85188235a403847898f76531554e988c5316df1299753442fad2ee0b7b1 | 166 | 39 |
| PowerShell Script Execution Policy Enabled | Nasreddine Bencherchali (Nextron Systems), Thurein Oo | Sigma Integrated Rule Set (GitHub) | 7d44a600e53e8dc468836aa200851d612b4e9d0cce60dc1cf0b2ddc30551134c | 166 | 3 |
| Suspicious New-PSDrive to Admin Share | frack113 | Sigma Integrated Rule Set (GitHub) | 9b5bc7e38efe4f1b17f2a923ca4fbbd1303baf2899f224b7e40278aea60cfc64 | 165 | 63 |
| Local Groups Discovery - Linux | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 0b93262008400f8b22d04eac398727ff17377f8b7f399741a879ed674b5940f3 | 163 | 84 |
| Potential Recon Activity Using DriverQuery.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c887795f89a95940c21235ec7fff122040bc4c53b14e9a9ba700193f3a7db228 | 163 | 53 |
| Schtasks From Suspicious Folders | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afcc7387bfcf1a39c26eb91bc6b000368dba233e0d6405a1ed3dc8b8e436f18e | 163 | 70 |
| Outlook Security Settings Updated - Registry | frack113 | Sigma Integrated Rule Set (GitHub) | ad1841979098a6b76c24ea780263b9da230373dc9a0d48d841538ec02cecb447 | 162 | 115 |
| Suspicious Unblock-File | frack113 | Sigma Integrated Rule Set (GitHub) | 71c164abf414b20e2e799e16de648202a68a8205db9f81d0dd28495ba9ce1ce7 | 161 | 79 |
| Application Terminated Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2db6346fec29f9d33fb9a84eeb0843c8dbb41e4c167ba165566d4a1f5b9c921c | 160 | 37 |
| Compressed File Creation Via Tar.EXE | Nasreddine Bencherchali (Nextron Systems), AdmU3 | Sigma Integrated Rule Set (GitHub) | 982905654574a9a7d204ef080147616dc585ddf0111f74d517a85ff94fcf04e7 | 160 | 63 |
| Kill multiple process | Joe Security | Joe Security Rule Set (GitHub) | 868e81758b31ab7d5c37adbd3798dbc1effacb9eeaad44e5f6c5f41c409fb786 | 160 | 0 |
| Windows Registry Trust Record Modification | Antonlovesdnb, Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 9292d14bdf79582c701fad33de8f018f0151bb6acfc181fba0dd5d223cee498c | 157 | 56 |
| HackTool - CrackMapExec Execution Patterns | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 4adf455dcb8e143b4df56b115b6a64714aa6d18f105e8e3d9859c02f686e393b | 156 | 81 |
| Schedule binary from dotnet directory | Joe Security | Joe Security Rule Set (GitHub) | 3c44dc412b67786cb131e2f723dbcfd035125eb3c04b66bc8baf4a7efe0ac581 | 156 | 0 |
| Suspicious File Download From IP Via Curl.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae613ed890bf3b871457b4c8ae4286d26be7254491c8e47c38fab809c4375d42 | 155 | 16 |
| MZRevenge Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 34b4fad92956929789617ef0c367187e5950267fc9fb902893bf5a6583ab5439 | 154 | 0 |
| PsExec Service File Creation | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 2638e4eb6733f565f75759fc7f3c7b2ce2d92f7a231f14859cad11aa82b929e9 | 154 | 11 |
| LSASS Process Memory Dump Files | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 532253e22b4c2a6410e693838434b30d959a9ebc0c04a0c861eeb9d593879009 | 153 | 5 |
| Nohup Execution | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | bad6dfec2abf828a85fe50bc6fb16600e7090a7d73658e2ae431aec1555bcbec | 153 | 56 |
| Schedule VBS From Appdata | Joe Security | Joe Security Rule Set (GitHub) | b16d941c7cf2248881a4d3da266d63655713389cafe7f2606ceb2b73fbace067 | 153 | 30 |
| Delete Shadow Copy Via Powershell | Joe Security | Joe Security Rule Set (GitHub) | d91fb994dcf44dbdd52950e6db5cdf99eba912926494deb2f92f3f2dbf232740 | 152 | 0 |
| Local Groups Reconnaissance Via Wmic.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 386f2bc7492f0e981a3ff4d07a1e865250fb5f4de55f43a70e9ca3e91bd61e31 | 151 | 14 |
| ClickOnce Trust Prompt Tampering | @SerkinValery, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0074b65628de8c068abdf29904b82da56361668862472dad4f92969c6bee1cf5 | 150 | 148 |
| Command Line Execution with Suspicious URL and AppData Strings | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 0585dd5b67e1bced48ad1dc8f9e0b66fd4e44c6e7c14dd5b385950c97e15b768 | 150 | 6 |
| New Port Forwarding Rule Added Via Netsh.EXE | Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 00fb9d21500af7c2b136a91e80c983e8f98843c063a63898c2775d7a5a91efa9 | 150 | 9 |
| PUA - Radmin Viewer Utility Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 656b04cfc858a6fe2bf9dd2c3fc9b7beef1f30399b5817f0ad3a3862463f3783 | 150 | 2 |
| Powershell downloading file from url shortener site | Joe Security | Joe Security Rule Set (GitHub) | f05d1fcd81ae053d34629eef4e2f082dd51622b2535713f47860649c3619d085 | 150 | 50 |
| Suspicious Hyper-V Cmdlets | frack113 | Sigma Integrated Rule Set (GitHub) | 62e075896842e5b2072a0b1610a9995667d1edd599e21657ffe829aa871cc56d | 149 | 109 |
| Ufw Force Stop Using Ufw-Init | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 3b99cfddafbe928cbdbe1bffc59282013b9389bce664830e434b17c6c47769d5 | 149 | 13 |
| MZRevenge Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c5132d9b7ddc56b36fc0095350bd8556ff7fc29c750387be3e0344beddf41f7b | 147 | 77 |
| Potentially Suspicious Child Process Of WinRAR.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3403fa242d939f60babe764c3b8083029e83943b7f7347ae53b880b8fdef114c | 147 | 1 |
| Powershell Timestomp | frack113 | Sigma Integrated Rule Set (GitHub) | 5b5656801277c44d48ce3c9f4c8c393d55f8c0943d2c641d4968a012bd160f38 | 147 | 60 |
| Suspicious Extrac32 Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 22466d36eb86be8a2f88344d2ad8707352f79b184489f7bc14547bcc6c82b9c1 | 147 | 57 |
| NetNTLM Downgrade Attack - Registry | Florian Roth (Nextron Systems), wagga | Sigma Integrated Rule Set (GitHub) | 5bced7470eb37ada15efd448b0a87615727c93557e648e225c3ee894c4b0ff08 | 146 | 19 |
| Password Filter DLL Modification (Sysmon Behavior) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | cdcaebb2c5505eed7b1cf8cbaff3316fe62d1be1354a3d77d6e25bca67c753d6 | 146 | 76 |
| System Control Panel Item Loaded From Uncommon Location | Anish Bogati | Sigma Integrated Rule Set (GitHub) | 7558a1c97a7b2400810934778152ef86113f31961b7d88655f0384652da936fb | 146 | 28 |
| Disable Security Tools | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | d934cd2adbdfb7c12ed5f937e36ed253d3f53495f0194507c0ea80b55f983957 | 145 | 38 |
| Potential AMSI COM Server Hijacking | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 738acd800035a9376f9c5ed9937f647fdc87ccefc57ccd0fab07a3fc108fa255 | 145 | 27 |
| Security Support Provider (SSP) Added to LSA Configuration | iwillkeepwatch | Sigma Integrated Rule Set (GitHub) | 303ed88ac4fc55c5f589ac99388d35769e708b361f23a767523b143a6751efc0 | 145 | 73 |
| Suspicious Eventlog Clear | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a049127770d6c92e914c0806277852c3b69f5e9cc86ca0f687e50e60c12d8868 | 145 | 44 |
| HackTool - Empire PowerShell Launch Parameters | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dae7277357ad237d5dfceb985bdbbaffa777a494f5cab14f067003795d395650 | 144 | 1 |
| Potential Raspberry Robin CPL Execution Activity | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | c297c796b6f3b39c781e4e772cfee6de320f223e025982fd520d4128f069085e | 144 | 0 |
| Custom File Open Handler Executes PowerShell | CD_R0M_ | Sigma Integrated Rule Set (GitHub) | e441ec55e6c79f736b37301c124beac89f633c990d45a175da5e134af80e91c6 | 143 | 15 |
| Mstsc.EXE Execution With Local RDP File | Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock | Sigma Integrated Rule Set (GitHub) | 4476f97756130311a92e0412033fd3fdacf6c62d0eb95901dcab7519a0236740 | 142 | 31 |
| Pass the Hash Activity 2 | Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) | Sigma Integrated Rule Set (GitHub) | 1e58f3b3a12845dad6be8befe76f8a0368d994ad5b069e672ac85d329bf336ed | 142 | 2 |
| Potentially Suspicious DLL Registered Via Odbcconf.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 391646c8321e490960603a2b21d983579e26c6c48aced031950d46bf9cbc4799 | 142 | 40 |
| Service Started/Stopped Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e3d78c5e41e6de41cac9e7f1872a39a27300e4078b7a403b7c6d4f0ca96daba | 142 | 22 |
| Harvesting Of Wifi Credentials Via Netsh.EXE | Andreas Hunkeler (@Karneades), oscd.community | Sigma Integrated Rule Set (GitHub) | 9d07a4fa9892ca001b30724fd1594eff85b72585c8f1106889da7e97608509b4 | 141 | 6 |
| Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 25caa714d53ce1601014e133c61d1dd3b361938e96a8ab5f410b0f3de1c8f8c9 | 141 | 2 |
| Windows Admin Share Mount Via Net.EXE | oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga | Sigma Integrated Rule Set (GitHub) | 816c82737c8262b4f167d02b04198105def46bd23ea282a655786d387e88118c | 141 | 21 |
| Rare Remote Thread Creation By Uncommon Source Image | Perez Diego (@darkquassar), oscd.community | Sigma Integrated Rule Set (GitHub) | 11642a2b68a439e8804e904e15e5f8d7463330056739adb17310fefab75d3585 | 140 | 2 |
| Suspicious Get Information for SMB Share | frack113 | Sigma Integrated Rule Set (GitHub) | 78af9841681cc3ae06f2b42827aa5b5f54e7e1cd67967a87cc99a5e7d4cfe18d | 140 | 96 |
| Flush Iptables Ufw Chain | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 7bad36edd1846bfc2bf6f4e3318e8d1794ee3eafa59a025658cecfb8bde246f3 | 139 | 12 |
| New BITS Job Created Via Bitsadmin | frack113 | Sigma Integrated Rule Set (GitHub) | 1bd7a375097c5f1afa59522776e79bf741057e59bdf9df33985fe7db095c655c | 139 | 44 |
| Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 2291b42b147dc3089126be94f1bf34506fa822ea41904e0632fbe519dd3799a8 | 139 | 8 |
| SoreFang Malware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ef69867dec66e047e8894803bca76813e63b7a2f0d2bc6938e903f4accf5ae76 | 137 | 47 |
| Potential Shim Database Persistence via Sdbinst.EXE | Markus Neis | Sigma Integrated Rule Set (GitHub) | f228d8546016f76e5942e38208fa8a55735339d54ec3f56e63b2b9133b037a7c | 136 | 43 |
| PowerShell Credential Prompt | John Lambert (idea), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3673ff480d9b6da69d58b49cdbd4653446b39552e94717447405039cbb476c09 | 136 | 97 |
| Load Of RstrtMgr.DLL By A Suspicious Process | Luc Génaux | Sigma Integrated Rule Set (GitHub) | 768defcb9e242825579cefb1548499d288a81e43688bc48e91a51f9755a14106 | 135 | 4 |
| Active Directory Group Enumeration With Get-AdGroup | frack113 | Sigma Integrated Rule Set (GitHub) | 2363089b66b3f43001c4d30a1a0d4a7a622db02c1b8f68a3aa3be7c674be645f | 133 | 94 |
| Suspicious Workstation Locking via Rundll32 | frack113 | Sigma Integrated Rule Set (GitHub) | 7077cb988db6f3b9dad54bcebad8cd59c0e62dd4b3f4f99d281d5e2b721c92bf | 133 | 49 |
| Disable of ETW Trace | @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | d85308a28516fa075ee74a4ffd11aea2be1f15add944422ade0969027648a3fa | 131 | 30 |
| RDP Hijacking. RDP port changed. | Den Iuzvyk | SOC Prime Threat Detection Marketplace | a917e763c89ea31922fe3dede8cc03c807a8b52f1a6f9eb0152291fea14c9416 | 131 | 9 |
| HackTool - Rubeus Execution - ScriptBlock | Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 98b35d6064ab9d23d69cf136567c9243c969bd5a1bf0f88f94c768bb1c624d71 | 129 | 2 |
| Vulnerable Dell BIOS Update Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 10577bdb5cec4b94b7c1d5ddcb04041555da105e51850313907d995a05c68dee | 128 | 66 |
| Security Privileges Enumeration Via Whoami.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a9f6af870a74ed20bfbc784983dc7fa8aae28d336e2f79a8fa8b72c32d6a9fa0 | 127 | 37 |
| Remove Immutable File Attribute | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 317e93721a5522556a572030086fc84621a557cc5edeccf22ab7af63689a5661 | 126 | 25 |
| Active Directory Parsing DLL Loaded Via Office Application | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | 6691a047173376a6c37e4a5a5a2ca36610041e928c2900eb7665491f798ff07e | 125 | 89 |
| Potential Webshell Creation On Static Website | Beyu Denis, oscd.community, Tim Shelton, Thurein Oo | Sigma Integrated Rule Set (GitHub) | a52a436bb2117d8c22878afc1facac963ffa5feca0046433c94396c44991c948 | 125 | 70 |
| Hiding User Account Via SpecialAccounts Registry Key | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | c5763f84925887a9d36054776ddf6d48e47d552ec2e7fed586026049488c127c | 124 | 36 |
| Potential Azure Browser SSO Abuse | Den Iuzvyk | Sigma Integrated Rule Set (GitHub) | 08cc3358fc66df84bafea574255088ebf9e6d0b56cc08317abc1bc31f94bab4b | 124 | 56 |
| System Integrity Protection (SIP) Enumeration | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 7cac7de2df55c2e3a6ea2825dc0a8ee65b4fa8c5e20a648776883eef5ed47cc4 | 124 | 99 |
| Download File To Potentially Suspicious Directory Via Wget | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | c14acc44b7a21724d221a1ace54effc332427d0340619e20a9dc8a66cec01ec7 | 121 | 98 |
| Potentially Suspicious Desktop Background Change Using Reg.EXE | Stephen Lincoln @slincoln-aiq (AttackIQ) | Sigma Integrated Rule Set (GitHub) | ad9e20584fed7e2a67c1b21ac30b801ba17f35dfe33a1200cfcc4af157454cfe | 121 | 35 |
| Wake-On-Lan | Joe Security | Joe Security Rule Set (GitHub) | 7695d2af7ecb7540baa69cd6442745f2c3bdd83d21c904b7a09b2d560c123439 | 119 | 2 |
| Request A Single Ticket via PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 7b7092f37f648c00a538947e2cb178b5c50e31e552b8bff8251ffaf4d4e49a68 | 117 | 10 |
| PUA - Nimgrab Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 91bdf8703cfbad287d4568a09b53790b20efdead5896d044bccf4d80efab7970 | 116 | 0 |
| WSL Child Process Anomaly | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 39a511112093810c2b82b35c4c8575b0f249dc7b9e8631fe75c6481c5c7e2658 | 116 | 0 |
| New File Association Using Exefile | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 3616394136d97f22be2d8a0718627a44f64289b519a8ab455bef574a2a43961a | 114 | 2 |
| New Remote Desktop Connection Initiated Via Mstsc.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 257b13d5b7127756fd3872ae69c87afe430e3a8d7933cef87a19e05fc1658d70 | 114 | 30 |
| Winlogon AllowMultipleTSSessions Enable | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4727efa76db9ecb53c0dd7505b171422c948b4b68999ca9c8f1a47f11a387ff6 | 114 | 7 |
| Control Panel Items | Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) | Sigma Integrated Rule Set (GitHub) | 2f683c72a6ae438b4161918b9e82bb9c7e09f701f65f85be9231ced52084f219 | 113 | 24 |
| Fsutil Drive Enumeration | Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | Sigma Integrated Rule Set (GitHub) | 29dde5587c090e85fff677c9d2643ac2deba99c10c07e68a2e71407af9991486 | 113 | 34 |
| Potential DLL File Download Via PowerShell Invoke-WebRequest | Florian Roth (Nextron Systems), Hieu Tran | Sigma Integrated Rule Set (GitHub) | abaf76ffe44f9fecc068eae92c53e3c5c4059258b40f40eafc69759c4661d667 | 113 | 21 |
| WMI Event Subscription | Tom Ueltschi (@c_APT_ure) | Sigma Integrated Rule Set (GitHub) | 07b95c7eb376ac65a345dc6a2c1cb03732e085818d93bd1ea2e7d3706619d78e | 113 | 22 |
| Potential Arbitrary Command Execution Using Msdt.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 96f35178aca93f73311713ffbcade7354646a1facaf7c2fce0201147d4b4b5c0 | 112 | 1 |
| Powershell add exclusion path, extension and process | Joe Security | Joe Security Rule Set (GitHub) | 177e7b167f988da0ec82090f6aaaa1ad7e74609b6832a0abb8759bc9e652fee2 | 112 | 1 |
| Lazarus System Binary Masquerading | Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | d945c7338838af1692c329f71f050302338029127281ca66006ba926c9a9d854 | 111 | 1 |
| PUA - Chisel Tunneling Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2d130c854a78ff4630994ab2107c3a8b18cc55785432c30b32d253f1c219289a | 111 | 2 |
| Wusa Extracting Cab Files | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb45aeb08550a3b51cede01e424c60a35987f3cba89d7a2e08d5783975154bda | 111 | 10 |
| Potentially Suspicious Ping/Copy Command Combination | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2dc5d25da9f75ae324bd1ef4e2e4fb2084251a622beac794700223e8c20907a3 | 109 | 0 |
| Gpresult Display Group Policy Information | frack113 | Sigma Integrated Rule Set (GitHub) | fdd0ef0378b9c7a67394fe97fcd782578201d6012af812d4f19483149704a866 | 108 | 33 |
| Internet Explorer DisableFirstRunCustomize Enabled | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b5977f01764dc3b0e2e3b7592943fc4bb6b4e55d5fcec607c905ea26d222e9c6 | 108 | 12 |
| Port Forwarding Activity Via SSH.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c815b3703c48114366c7be5b543fc8851073e1b27fde789d784a09a657295a9d | 108 | 19 |
| Suspicious Execution of Shutdown to Log Out | frack113 | Sigma Integrated Rule Set (GitHub) | 3970bd95a88d05869fab2e89b8b02fda81406f83ecd9e197b1249a06a3f8eb62 | 108 | 30 |
| Potential Persistence Via GlobalFlags | Karneades, Jonhnathan Ribeiro, Florian Roth | Sigma Integrated Rule Set (GitHub) | 94ec0949b00016f88171e5d46125aad5bcbd3980d50085c2ae009dcd34e39190 | 107 | 16 |
| Ramsay Malware Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9a24e548df204cab86a6489b32a696d4f00e8933893536c518bc73e457c7f3a0 | 107 | 29 |
| Suspicious Outlook Child Process | Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team | Sigma Integrated Rule Set (GitHub) | b05b4cfe9fd991fdb7151994946888d5558694fb5cd0726cb437ec39e393a597 | 107 | 2 |
| Potential CCleanerDU.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5009a283b0a4eb41a0b527ce473a2e7865766f8bcdb943ddebb06bc75f1c479f | 106 | 61 |
| Procdump Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c3f48ada664e96b916cbb2ed88c7f622ced143f3f9e2c039bd4516f81e1c1e4a | 106 | 65 |
| Suspicious SSL Connection | frack113 | Sigma Integrated Rule Set (GitHub) | 862ef09072518dbd7b5900500c4908a6284ee88f03b45ad0c0b20f3eb495f645 | 106 | 3 |
| Lolbin Ssh.exe Use As Proxy | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 2055166f6099144ebb73ce53abe7aadcd74447fb30806756d8fe22ac92352f1d | 105 | 22 |
| Suspicious MSDT Parent Process | Nextron Systems | Sigma Integrated Rule Set (GitHub) | 22974e8b759cb4125a56f2d16e37f8fa3020d7ae087aad754afe46386ea694e0 | 105 | 59 |
| WMI Remote Command Execution | frack113 | Sigma Integrated Rule Set (GitHub) | c63cb58172dccb53cf9cd1dd7f6a65cc8843987d003bcbb7b0c1e7769c3821c4 | 105 | 28 |
| Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1 | 104 | 2 |
| Cmstp Making Network Connection | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ee0f25c3d0b70476bccad0e57a0351cf8822d966bb558a9a49836dccbc9fe41 | 104 | 0 |
| Sysmon Configuration Error | frack113 | Sigma Integrated Rule Set (GitHub) | 1cd7d30672aa97bf7ad987f1430427c4badcaf9359b200f28071d8b243834f07 | 104 | 9 |
| DarkGate | Joe Security | Joe Security Rule Set (GitHub) | dfc9dcb8ede2865dff1a44cb75938a2bc7fdc4d1e1df42cbe2d0cbc6472da1a1 | 103 | 0 |
| MMC20 Lateral Movement | @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) | Sigma Integrated Rule Set (GitHub) | 047087ddae3ef4f27e871131c79addb166cb71593c4fb795a5d119d4d78cd0a7 | 103 | 2 |
| Malicious Base64 Encoded PowerShell Keywords in Command Lines | John Lambert (rule) | Sigma Integrated Rule Set (GitHub) | 2741e38c5a55999659c8e2ffe6365a21db8ec070e03a5a2f78326209ada99b63 | 103 | 2 |
| Windows Firewall Profile Disabled | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 489692e72dc0017d68cdd2188f43e162f46de9955dce51c32323345919b76b0e | 103 | 27 |
| Potential Qakbot Rundll32 Execution | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 03f2abf64a64f57b8e66090fc2f63645b79fe633bbffa28d32e0440b03c4c0b9 | 102 | 62 |
| LOLBAS wsl.exe (via cmdline) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 55bd30964b2c80cd229425cd10828e1b7c89462547581eb0c4a907c55c87f0a6 | 101 | 0 |
| Remote PowerShell Session Host Process (WinRM) | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 9c155c1f00478f6dbc65e449bb4e1ee8d14ca444d40cbb52bd6406320ff20282 | 101 | 20 |
| Data Compressed - PowerShell | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 1ea6262b9839c6f8aa32af503fb227a46a6f22b4778711e1a64f62b102e43a3e | 98 | 49 |
| Root Certificate Installed From Susp Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 99ad87050a603d266b14f9d38b78913daa61c2b7dc6b1441427d022050ccc8b7 | 98 | 5 |
| Use of TTDInject.exe | frack113 | Sigma Integrated Rule Set (GitHub) | ce2c1d30a6032c8bf814508ea0142036631b7b690cff7d809dfac541ddf4c01a | 98 | 34 |
| System Disk And Volume Reconnaissance Via Wmic.EXE | Stephen Lincoln `@slincoln-aiq`(AttackIQ) | Sigma Integrated Rule Set (GitHub) | 3b87c918c891cc71875e579ccec1db6182cc5e8577cc337cd77a54306f24aafc | 97 | 32 |
| File In Suspicious Location Encoded To Base64 Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 01705d905ff73214a70aaa5cc788cda6fa3195220319780605c2ba2c7afdacd0 | 96 | 10 |
| Deletion of Volume Shadow Copies via WMI with PowerShell | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | c7ad5ab5203e14414fcbfb23542125d64b7aca04b7afe48d594ecb9b7c117ec3 | 95 | 0 |
| Wusa.EXE Extracting Cab Files From Suspicious Paths | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a3bdc335aeefb2b18bcd061bd2c29809fd034b8ebaf07e3dc6c94af5ff27b7f6 | 95 | 0 |
| Exfiltration and Tunneling Tools Execution | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 6ba70df29bf2469a0e7931226da06a144c5e9044543a14e1fae2bcd6c17f9374 | 93 | 32 |
| Potential AMSI Bypass Via .NET Reflection | Markus Neis, @Kostastsale | Sigma Integrated Rule Set (GitHub) | 4f48e177e42323bad59a64ab7de8ad6105458dbcdbb255b095f3c17aa618478f | 93 | 3 |
| Suspicious Csi.exe Usage | Konstantin Grishchenko, oscd.community | Sigma Integrated Rule Set (GitHub) | d478344c6645595e8636745bd5f3fcc68955c4777726aba466ad93f133453add | 93 | 84 |
| Suspicious command execution | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 2493810bc5072dfb469437cfe4848e404b84ec5690670b79ab60bdf138d06139 | 92 | 0 |
| DUNIHI Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4e8573bf949d0f277bff56a18b256181b950262693a43cfad1d247e035aec8b5 | 91 | 3 |
| HTML Help HH.EXE Suspicious Child Process | Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 03c63f09ca0da10cdd578a2b9318266b2f2ac550da5b256d00ce4c0cbbbedda0 | 91 | 6 |
| Linux Command History Tampering | Patrick Bareiss | Sigma Integrated Rule Set (GitHub) | c5903ffafd80f3200d3223dd44f4e4200331a8bfef040c23fc1812186018c6b9 | 91 | 20 |
| PUA - Advanced Port Scanner Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb482f5fd709d1ae001f190ee187e694e6ae6473e73b36e57e49b6908a1544c3 | 90 | 6 |
| PowerShell Module File Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ac9471aa53e0850fa4b5f9ae701b9d20783d5f3762aa950efee3d94d5f862283 | 89 | 57 |
| ScreenSaver Registry Key Set | Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) | Sigma Integrated Rule Set (GitHub) | 6e68f5c105dfd23d227bb84e1d2fc8eda9de15b7826b6c74dcee7913742ea06a | 89 | 41 |
| Unusual Child Process of dns.exe | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 1a409a5e5fee95e8f39012c0517568143fbf3ceac2b7bf87e81ab5eb50d8a6f9 | 89 | 33 |
| Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6a048234462e46cb2ce5b49006ff2d3e6f3a58ef583716ceaf74d911b04c1a85 | 88 | 65 |
| MsiExec Web Install | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c56598b1a4dc67703e332a7df820b31b6690ea40d2352aead9f77f441f6f5b2d | 88 | 5 |
| Powershell launch regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 59bdcb50161e15e215ceab8d779ba112cc633a8bde418fc87d450d05d5e78a78 | 87 | 9 |
| New Generic Credentials Added Via Cmdkey.EXE | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b71ea6893f3e92a9d7d7ffb0de6a327a1a755b01c115465f079fa8cce81013d5 | 86 | 26 |
| Add SafeBoot Keys Via Reg Utility | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d0f01e5bb13e8ce7a78203105d6c6fd359d6150767bbbfa4de80faa61bbf2099 | 84 | 38 |
| Brontok Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cc37d2c965977a035bf3e0e5adc5d1ad561e00eeecc80cde19feb01566a5fa61 | 84 | 0 |
| Potential SocGholish Second Stage C2 DNS Query | Dusty Miller | Sigma Integrated Rule Set (GitHub) | dc5cfaa0b6ff45a4864ee8be51bb9c91ef2f5d94c791e000efb78473258ad5ca | 84 | 23 |
| Deny Service Access Using Security Descriptor Tampering Via Sc.EXE | Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 4e8b6e96f08290c2d17de56622ea6ab96e4e69ac05b74c3f70d52ed74f859533 | 83 | 37 |
| File Encoded To Base64 Via Certutil.EXE | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b6510b58b9f16b947f9e665c0a3f3902f2d51f54d01596eb9545d8fd6631aa1 | 83 | 5 |
| Malicious PowerShell Scripts - FileCreation | Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein | Sigma Integrated Rule Set (GitHub) | a76fa0f689961152a23aa5f209a6af1314317a976fc0ce87fc515430cd043c5a | 83 | 11 |
| Potential Suspicious Windows Feature Enabled | frack113 | Sigma Integrated Rule Set (GitHub) | cdcec55ed90affa3868db81d308f5a76204c51b717f1cd5ba3c9feee5ce926ec | 82 | 19 |
| Renamed Jusched.EXE Execution | Markus Neis, Swisscom | Sigma Integrated Rule Set (GitHub) | 395d81f2cea49ebe846ec75b230f6e7f8ff1541f56a65ee0ca6336a3730a5af3 | 82 | 6 |
| Insensitive Subfolder Search Via Findstr.EXE | Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fc0dfa66e10e89529136659b68704c27d9c50955795ed4bd4fb70b8ff27a2cdc | 81 | 48 |
| New Root Certificate Installed Via CertMgr.EXE | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 7967f7ab83c7127d55911fc713e9a9bd4d66a313b85fc76a5957a7666db29e34 | 81 | 16 |
| REGISTER_APP.VBS Proxy Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2d663b64fac0627c9d7a810d3e1e3c10a5321e0d9f0ff82bf3f9ade891ad15e9 | 81 | 41 |
| Wusa.EXE Executed By Parent Process Located In Suspicious Location | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8a6cc2ec2dfed9361b49f2176c76b8d649124a8c438e3f14104c8ffc82685cbf | 81 | 15 |
| HackTool - Covenant PowerShell Launcher | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 2957c0808592ab632134afd63650be8c47697a8350bb5cb19a8272b9da595777 | 80 | 3 |
| HackTool - SharpView Execution | frack113 | Sigma Integrated Rule Set (GitHub) | fcd75941371f1c365f40d29f8498522d49065fb5ad8dc28a97b979603a6333ba | 80 | 20 |
| Linux HackTool Execution | Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) | Sigma Integrated Rule Set (GitHub) | 86323a066135586878b5ad6ed6ff2638ee0808cde3808480271dfac95b04807f | 80 | 35 |
| PUA - NPS Tunneling Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9b4f9dd1295bf299dba100d2a75a3f7188ba51a90dda3e0bf371708f55a40507 | 80 | 0 |
| Nocturnal Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 08655a77d7ea003dba35be4775284dd12a24f9469c9e93ad2d085afe3f4e91d8 | 79 | 1 |
| Potential File Overwrite Via Sysinternals SDelete | frack113 | Sigma Integrated Rule Set (GitHub) | c79aec25ed8a3cf07f3a43954d8dda5823dc140075f59c4e0cae1e5a3aee8072 | 79 | 17 |
| Potential Persistence Via Netsh Helper DLL | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | cfb3049a2fd55cd1ff6721dc9b502008c4449922474c40b20b8f6fab4f51ce02 | 79 | 19 |
| Register New IFiltre For Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ee0912f0124b2509a7672d8c5478428150f436ec04279e2240e1b457049eae5b | 79 | 14 |
| 7Zip Compressing Dump Files | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2194ceadd602ef4103a4715be6673214407021d3ff227fc3c520c0b9f51d9008 | 78 | 29 |
| Commands to Clear or Remove the Syslog | Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 82fe97976c538cbc804bd324c0c8e95c4df77ed62a637f5e1d33dd2d9c9b416d | 78 | 6 |
| OneNote Attachment File Dropped In Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afd9349ba03eb1032e975c339bf0a626bd6fa3cf66270e4bac353a102c07848b | 78 | 56 |
| PUA - Ngrok Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c2e9abacba241e42d67c8d6ae1523533d3cb9769cf7315d401744e4266f91ffc | 78 | 21 |
| PowerShell Profile Modification | HieuTT35, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 25ba0fd933ae7d522dfbe81f445736e4bb4015e2ab0ce76d436c139485e79e2e | 78 | 51 |
| Certificate Exported Via PowerShell - ScriptBlock | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b1cd37588678d9d180fae5e3ac98088d0fb94bcf137b0f6b423ba503b9c48334 | 77 | 67 |
| HackTool - KrbRelayUp Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 914dd9cda73bd6f9573dbe9e9a1fdfc390464d03b96dd1d0ac163be4f300aff1 | 77 | 0 |
| Lokibot Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | be942c1d0e5d410fdd49ca407572405db53d2cebec6927a56b86b1bf02d58983 | 77 | 0 |
| Print History File Contents | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 57c5fa03a480d2503b2cd8c6055b57b3042a03030864c8e431c7077229e32019 | 77 | 3 |
| Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9c7804b6bfb1ca0e93a863185af19f14432fde4b07d2ac68fb1a44032467c98a | 77 | 20 |
| HackTool - Bloodhound/Sharphound Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cfc47087b4c2d98cee5d80b1383b55212d8fe298ebc880e15c894f55123fa95a | 76 | 6 |
| Malicious Windows Script Components File Execution by TAEF Detection | Agro (@agro_sev) oscd.community | Sigma Integrated Rule Set (GitHub) | 1aed5dfd628d749d7b679eefe579532b3ff3ca46fecf65776910e7de7aaa6148 | 76 | 2 |
| OS Architecture Discovery Via Grep | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 1a3577e67f806b29ef2a52975305c90e5a28597217567af774c26c0bb29a837f | 76 | 46 |
| Run Whoami as SYSTEM | Teymur Kheirkhabarov, Florian Roth | Sigma Integrated Rule Set (GitHub) | 6af189a96d12cb443ce812c507e6b5326d70cc43e4f8a8b179fd45d5acee44bd | 76 | 6 |
| WMIC Unquoted Services Path Lookup - PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 420c9214a5aa1f50a2a85504e221b82931637956daecbfebfda630bb7c586f60 | 75 | 29 |
| Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 3fad126ae93b8bb078502d36cb4e234c89c2539784bb1f8e446e615d3f54c186 | 74 | 3 |
| Powershell Local Email Collection | frack113 | Sigma Integrated Rule Set (GitHub) | 7a8c60222c9d0320cd13f6c3e00c4279e2961daa1560bebf35dfe8f0de4387a4 | 74 | 36 |
| Testing Usage of Uncommonly Used Port | frack113 | Sigma Integrated Rule Set (GitHub) | 45fddb986c296e8a5cc65d9e7d93b5666adb505378e865f501b8a9946a4cc8fe | 74 | 52 |
| User Discovery And Export Via Get-ADUser Cmdlet - PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0caa50babf4475fc8fa04167d47d87d1e0d04294b8534c19e180e2c9dde0012e | 74 | 56 |
| Windows Firewall Disabled via PowerShell | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | a0a3572f7e566559cfcfc8970108fc01b0ad35103e76b5359955ed4c7d4ac60e | 74 | 4 |
| Commands to Clear or Remove the Syslog - Builtin | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9a49b4476704bd301f2c0b13c87316f7e92aef899ef21b8e3f6db3c943390df6 | 73 | 3 |
| Renamed Msdt.EXE Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 547b4f9fe578b9d949c01be391e76decb1e95b632ac54aac474eb858c0f1f5b3 | 72 | 7 |
| Suspicious Process Created Via Wmic.EXE | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 97abad7c8edb5cdf286b45712f14b577d1653fa738d3d330a0473a1d48e5aac4 | 72 | 3 |
| History File Deletion | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b5287b77a0f842e5d6ac8cf6125132aeeac4e8f639751744c9c256006803a919 | 71 | 16 |
| NetWire | Joe Security | Joe Security Rule Set (GitHub) | f1f1e749b0e91b9e079a2fb92be3e128291eda84c02064028a1d037f450f864c | 71 | 0 |
| Powershell create lnk in startup | Joe Security | Joe Security Rule Set (GitHub) | fd5c77e4a6ca9deb325d7525e8219d80cc70e6bbf765e2d75ab4f30f6be7cc9a | 71 | 7 |
| Renamed ProcDump Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | db74c62019a53e7519a7392215062ee6be4525e5374b4191fb8eeffc81cb981f | 71 | 24 |
| DarkSide Ransomware Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5c4ba608ec7db931a6491db14857b098a88caf78b2c28087f16fa4aeeb05c8d0 | 70 | 1 |
| Potential Persistence Via Powershell Search Order Hijacking - Task | pH-T (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 262548bdd551b5516ac8ba4e7c13b94c1164ea5766dc08877e95dcb2930be717 | 70 | 7 |
| Potential Signing Bypass Via Windows Developer Features - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bc27e2c02d1cb4d2eba75aa1668359b5caaafc79eb2531bdbe54410d63d727f3 | 70 | 22 |
| AnteFrigus Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8b18641dc7819baf3c131b24088048e3cf6ac0f5946f136a2c0b0b36a3754141 | 69 | 10 |
| Execute Scriptlet from internet Via Regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 1dfe86ef579952e7d83c7cab84e28986946f0660fc39224c8c471d29300a9885 | 69 | 2 |
| Potential Obfuscated Ordinal Call Via Rundll32 | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7bdb12eebdabf1b207f0dbcb9c1b6b22d47d6d42e5ac4839dc0945d338faf27a | 69 | 2 |
| Replace.exe Usage | frack113 | Sigma Integrated Rule Set (GitHub) | 067314a472e516edad2a871cb6ccc07c4490f9e36622e820cb8d7ff88b0f9fd5 | 69 | 0 |
| Suspicious File Downloaded From Direct IP Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bba68f86faec56fff7827bdc8b4bb20cf69d80ccf8c956daadc7bd68839665ed | 69 | 3 |
| Decode DLL Via Certutil | Joe Security | Joe Security Rule Set (GitHub) | 512a021b2a6002cdc06a23350dd7744a78311e5eacbe59b19864a594b50fc33e | 68 | 0 |
| Potential EventLog File Location Tampering | D3F7A5105 | Sigma Integrated Rule Set (GitHub) | 69c8a912add6ff74c81727a758b844925127c8257fd99143e46ba28f67a29517 | 68 | 45 |
| Suspicious File Download From File Sharing Websites | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 81df8b624648173975c91181526939696ab64698fa03b22522b81744d5cc10bf | 68 | 36 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 17b8565aac7819789a47a069aa7bbdb1c69f755edcfcb766c10e1d973768a357 | 67 | 3 |
| Mshtml.DLL RunHTMLApplication Suspicious Usage | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) | Sigma Integrated Rule Set (GitHub) | 81da16a2acd4f2ead3a5744748fade75b7d63b7ec6498731e5106bf2d48265b6 | 67 | 6 |
| Scheduled Cron Task/Job - Linux | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 17e54e203e8a8aa2c9b914202cbafe7a371b6019f97729b83dc10a8f643dc884 | 67 | 11 |
| Suspicious Execution of Sc to Delete AV Services | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f8a2779f372784da42ba3ea542708f81eb3d3784b03ec4d156d94dbf9190887 | 67 | 4 |
| bitsadmin download and execute | Joe Security | Joe Security Rule Set (GitHub) | 613bbc724cd17594b42667a8a5c4df0dff074adfb53a590f30f86743bc9b5b47 | 67 | 7 |
| Registry Persistence Mechanisms in Recycle Bin | frack113 | Sigma Integrated Rule Set (GitHub) | 661375a6a064f858d66665c13895d00ce56bb356ccda48cbc40727b9b6f4e220 | 66 | 1 |
| Abusable DLL Potential Sideloading From Suspicious Location | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 566d4ee50b2fbe8a5d724a630f1f5eedae86a015b59b83014a6e8612339d8523 | 65 | 7 |
| CARROTBAT Malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5244e0d5e7e39e2209c4a02fd25867f6008966d611f19da634de6505358c95a6 | 65 | 3 |
| Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 3fba0f206c1c867f04a34552b850e8eeb0b219621923d394bddad4789f293152 | 65 | 55 |
| Enumerate All Information With Whoami.EXE | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 746ffdc60cc4e7f5b9ace4026da8fbc6a009bb58f285f72d6c62cd9b9f2c867b | 65 | 15 |
| Potential Iviewers.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4a3ab15f0d9e71b31849c630b42e36683c5269c2ce71c8042193fc224000fd25 | 65 | 7 |
| Scheduled Cron Task/Job - MacOs | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 572b438b19c769d86cabf9aef66e7f6d1cadfa28c31734af9cc9577e10af72b7 | 65 | 9 |
| SharpRDP execution | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 31cfc7594bce0379cd087a7f0fc2e2da4a491ff6b2df31db447eac7eec8b2d22 | 65 | 14 |
| Filter Driver Unloaded Via Fltmc.EXE | Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | d00afaccf4e488d3a0607eb98f532801d652935f6a0f82e8dfe2240b90f12b5c | 64 | 43 |
| Nslookup PowerShell Download Cradle - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4755ccbf487b7c6fdaea8383493917837a2c86ff682d94f0f57d6b09349e0ddc | 64 | 11 |
| Oxypumper and Qwertminer detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2e9004538d0ac25abf5f74d2ab10e6804e8c5a6d78ded8ec678d1d57791fdd4d | 64 | 9 |
| Potential Defense Evasion Via Right-to-Left Override | Micah Babinski, @micahbabinski | Sigma Integrated Rule Set (GitHub) | 8c9d950be3588ee779f57d3c33f03abbaa5ab145cac1a897bfa816cd0745a1c9 | 64 | 1 |
| Suspicious PowerShell Invocations - Generic | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d0b30db49f680fc7c412d09dc2099e655eb262fd5ef5b03fb5304663ab79137a | 64 | 3 |
| Vulnerable GIGABYTE Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e55e3c4025c22c464d209815a3411299c407e870eab4c5aa9ef362b217babade | 64 | 1 |
| Creation of a Diagcab | frack113 | Sigma Integrated Rule Set (GitHub) | 76466a8380202538b40850a954fbd8b6bab964c61bff3742c35d8a8e0bc582fe | 63 | 24 |
| New TimeProviders Registered With Uncommon DLL Name | frack113 | Sigma Integrated Rule Set (GitHub) | 4644dba35bcca22688aa47798c36c6f13bf03864da995c52366df9c473e02450 | 63 | 9 |
| Office Macro File Download | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aaba58981e0428da3913c964606d7609d2f2b2553131eb76cbc3b1fbc611008a | 63 | 61 |
| PowerShell ICMP Exfiltration | Bartlomiej Czyz @bczyz1, oscd.community | Sigma Integrated Rule Set (GitHub) | 504cd1bcea14d3f138e4253108d6978349e99adf5984333e0d5d78865dd1a481 | 63 | 26 |
| Cloudflared Tunnels Related DNS Requests | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | eb3d787705736430a92c127b22627ce5de4f5d421899962446a84013018022a9 | 62 | 17 |
| DNS Query To MEGA Hosting Website | Aaron Greetham (@beardofbinary) - NCC Group | Sigma Integrated Rule Set (GitHub) | 8c60cfcbc7464b6af5d7b236a49a53fbfde22feb2036abbf947df7322a7343a0 | 62 | 16 |
| Execute dll with txt extension from temp location | Joe Security | Joe Security Rule Set (GitHub) | d8d01ff318fd81c3e8579c3f1dbc420f408beb4b67bc9be1a4bbdc759dce812a | 62 | 6 |
| ShimCache Flush | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7755af8c0fe9118bb510e5bd0317a174fc59e613270dce762bbc67cac8f68d15 | 62 | 35 |
| Linux Network Service Scanning Tools Execution | Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) | Sigma Integrated Rule Set (GitHub) | e34284bbb0ad4c302ba9dd1fde4f2de41f24db62c0b7bbd57804d77d81b02119 | 61 | 47 |
| Network Reconnaissance Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9d9af026eaa77db7d0e5377f50092e459940178fe0e043501343b6432f0f94d4 | 61 | 1 |
| Potential Vivaldi_elf.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 346397c1566ef1c4a5cdc5efaf829819cab3cfe203071185adb35187df0ce7fe | 61 | 61 |
| Powershell XML Execute Command | frack113 | Sigma Integrated Rule Set (GitHub) | b8a4fbd826f854871ab62dc0ad49ae048575057a6293a2c8109f04b8662a8162 | 61 | 24 |
| Suspicious Powercfg Execution To Change Lock Screen Timeout | frack113 | Sigma Integrated Rule Set (GitHub) | 82b3e64b1ffbd6e42b9c816c24dd39f029501b0a8e06e337701dfc101f978f0d | 61 | 13 |
| DeviceCredentialDeployment Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 63437b0e9c5e21d2823a28f0a428ee4bad8d30ba59ddbfb9227fe13452f1aebe | 60 | 3 |
| Enable Windows Remote Management | frack113 | Sigma Integrated Rule Set (GitHub) | 7f8fcfb39f92617ac21dbc51e4c66b0663520cef30300bc28dd89572f6574253 | 60 | 39 |
| ImagingDevices Unusual Parent/Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 95fe2608b1dadcb60e16a7627b715b848f056f452fc93639201d185bd1c91a25 | 60 | 0 |
| Removal Of AMSI Provider Registry Keys | frack113 | Sigma Integrated Rule Set (GitHub) | 29e103486311c7c5f253e500ab6386c2aba984cb782efe903a88f082d3f70254 | 60 | 7 |
| Ryuk Ransomware Command Line Activity | Vasiliy Burov | Sigma Integrated Rule Set (GitHub) | 1a2c4b1ffc8f65b4edf9020cfc1b6203854d13592539752717c107cd6357489f | 60 | 4 |
| Spora Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8a1a4505f9c0ee688392c73f69566ea35c3597f51241af4cb0ddb23057c95474 | 59 | 19 |
| HackTool - SafetyKatz Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e12ef0018b230868661eff7c8a74baf3f9a0ea5e0380b63b339c9218278f2057 | 58 | 0 |
| NTFS Alternate Data Stream | Sami Ruohonen | Sigma Integrated Rule Set (GitHub) | 535b54123e1e90e346eb48779d2bdc19508f9a3aef7f7cf48bddbbd43f953478 | 58 | 34 |
| Potentially Suspicious Regsvr32 HTTP/FTP Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e907309004a16bdbee14bf081959e1fdd8d3923c01d4153603226d7722c190c6 | 58 | 24 |
| Suspicious UltraVNC Execution | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | a1005bb393ae9323ec95dc47f2348fea7262e1297f7d5c4e3c9b21b672fe467e | 58 | 5 |
| Cmd Stream Redirection | frack113 | Sigma Integrated Rule Set (GitHub) | 5f96e6b063aba9535c425e87ec855e1751d2d80c4099135c5b165fdf5bdbc5dd | 57 | 6 |
| Powershell Inline Execution From A File | frack113 | Sigma Integrated Rule Set (GitHub) | cbf84e925032ab806dad545cb848e4318b275d75f3a40c8cb9664e0172444779 | 57 | 19 |
| Service DACL Abuse To Hide Services Via Sc.EXE | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 31469fa3c8d37b7e80913d07ce5549c9371e193ac3f0d3211f519adbb2de950c | 57 | 1 |
| Lazarus Activity | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 735c9c8d6f2afa0f395d670a4d21f211de96cbab610a1a63b20bcc981d975f0f | 56 | 0 |
| New BITS Job Created Via PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | cfec5ce24be18b8a5b6ee565ce5bb62f0aa614ff0754094a9cb6d113b97decbe | 56 | 5 |
| Recon Information for Export with PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 713f92f086b68096c3f56ca930b031275ba60fcd9b0986dca0e69d63a349fe11 | 56 | 3 |
| Shedule powershell with encoded command parameter | Joe Security | Joe Security Rule Set (GitHub) | 915a39321a250831a95cbb6b6598214820d1be1095aee6555106a9ca7d02a36a | 55 | 0 |
| Uncommon Microsoft Office Trusted Location Added | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e2890486c08a6306f0ed3294555a371fc9af6989a617f720dcd5d85002823cbf | 55 | 29 |
| Windows Kernel Debugger Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bdfabe357d29db481ce92a1bf99197e1220f79336d0a6a891f56d430f607e756 | 55 | 6 |
| CreateRemoteThread API and LoadLibrary | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 7b3a31059be73d0a2a66f61915b2e5a4f5a37cea4d4de5e3cc8c24f5e2a310f1 | 54 | 4 |
| Portable Gpg.EXE Execution | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 37975ef2a9d7686f9cb4712638e4cb91aa474f7ff5d6d96097cf31e8ac891e00 | 54 | 7 |
| Potential Download/Upload Activity Using Type Command | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 60989d33f57e8b54080cc6f5ddf172214858d74acfac7a314daabf794b9ffe4b | 54 | 4 |
| Suspicious Usage Of ShellExec_RunDLL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 583f46a94081ca6e4e09e8191f1cc5fe8a0b11239ca27da18ef2ad12a48786b7 | 54 | 0 |
| Linux Shell Pipe to Shell | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 961d6ba3c55de28bad39a9ca6bc10d12d7d1180abd7f3b15244347c72b37be1c | 53 | 2 |
| Post CVE-2017-5638 exploitation | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ac7133ba82228763e38c9dece3427e679698ee3bedde0c21e00adf3e4dfa06ac | 53 | 0 |
| Potential UAC Bypass Via Sdclt.EXE | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 9076ea2849a39de53427fc7d336a9132ac1d6dea68e77efa6abafebd89ee90c9 | 53 | 10 |
| Rebuild Performance Counter Values Via Lodctr.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f2f0bbc1c620055ffb4b0372c73c17ad21ce521d43cd8a6d18c9d374f83932f1 | 53 | 30 |
| Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE | Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | adbbf1b1fe76c2a86e148fcc66a37c2f361f6d40ce55e510f70409c09d434ea2 | 53 | 16 |
| Creation Exe for Service with Unquoted Path | frack113 | Sigma Integrated Rule Set (GitHub) | 3b925709ef1196fbdf20c495c5a7972944bd56a4ab342009ef41e3f3273c15af | 52 | 0 |
| File Download with Headless Browser | Sreeman, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ab434fe480ee2a7a4567eef38af37753eb61b2fe82708db1056313a73ab0fac0 | 52 | 3 |
| BackSwap Trojan detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6cf0858071345dfa209de5be9510786314771819c7ae412dbfe82b134cb3697c | 51 | 2 |
| Created Files by Microsoft Sync Center | elhoim | Sigma Integrated Rule Set (GitHub) | 90e6abcfde9453786cbe5eb7bd26a659703b1abfdec9d9441778c362dd6be63c | 51 | 0 |
| DllUnregisterServer Function Call Via Msiexec.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 2e95aeac423a48e1ef8f7275c2f49a8fe3fe9a7e83b9db9f856d1f2d3edb1a10 | 51 | 14 |
| File Deleted Via Sysinternals SDelete | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 13320004e8b7f532ff0dcbcc7a564fd60fa782490cdaf6e553e89088ded28e41 | 51 | 5 |
| Potential Persistence Via Microsoft Office Add-In | NVISO | Sigma Integrated Rule Set (GitHub) | 87bbef1292c33b8d07238254d96faa4edbe7d7b241c05444918849684077237e | 51 | 10 |
| PowerShell as a Service in Registry | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | edeb7efda75eef0c30275df1148d63a2707963d2d9735d444a56536df2161a9e | 51 | 1 |
| Socelars Malware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3b19facf348c1fe8db660733298928cb749e5dafe84ca3025f86b31129352e51 | 51 | 0 |
| Uncommon Extension In Keyboard Layout IME File Registry Value | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 17a95e740c3d081eefeec61bf1fd312a2276a380be6923c632ed7d8660285301 | 51 | 0 |
| Suspicious Curl Change User Agents - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 85e2c3c8bd260f8a67a582a43493b73662159bf74036dcc05b8952c84be8bc2a | 50 | 41 |
| Suspicious Execution of InstallUtil Without Log | frack113 | Sigma Integrated Rule Set (GitHub) | f87a49b6d1417f2f418f84c8a8b3d23964133dc7c1b7e18b02a1d2b8deaba8a0 | 50 | 19 |
| HackTool - SharpUp PrivEsc Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b9df87571912714cc7a36f7a1ca3fdd9625d8ccc37a12862bdb202fba7c22869 | 49 | 3 |
| MacOS Network Service Scanning | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 4fff924a8370247252e1b93169b91f3d7ed7d41b98603cfd2b8ce78153c97dd3 | 49 | 37 |
| Suspicious Environment Variable Has Been Registered | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b699c275e510eda7cf1e9f4fdb0a9e8e780d9e307b37d98aa4524c6975b9847a | 49 | 9 |
| Suspicious Where Execution | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 46ae66dd22967fe384fb2758be37ee4bc4eb6756891eb9d7ebb29342e2dd03d1 | 49 | 33 |
| HackTool - CreateMiniDump Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8618cac2c2c1ec1d0e5b729eab2f28a1585a023728c5aaa9fa184b786b52a337 | 48 | 44 |
| Hacktool Execution - PE Metadata | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8b5d84914e5e7715fc7effca7b1d2ad513d7fee3b5afb0e324a42c2d3103cd49 | 47 | 0 |
| Potential Attachment Manager Settings Attachments Tamper | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ab75582abe82ab90071a874b2fc815cf2027c5505ce7f0b149210f67dd27dfbd | 47 | 3 |
| Potential Persistence Via Microsoft Compatibility Appraiser | Sreeman | Sigma Integrated Rule Set (GitHub) | 9fc475ae448749ce7b6c7760c27eaa960cebb3e61dd32ccdd1ffa55dc831eff2 | 47 | 21 |
| Potential Ransomware Activity Using LegalNotice Message | frack113 | Sigma Integrated Rule Set (GitHub) | 7c1a95ef0474a975a04b961bfb754a69cb4d482b12e33fc8194798229f828125 | 47 | 0 |
| PowerShell Script Change Permission Via Set-Acl | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4dda7280ec76865e53f8a5b9094b4f45af5182eae613d2d336f0bbbc028a76b0 | 47 | 6 |
| Powershell drops NetSupport RAT client | Joe Security | Joe Security Rule Set (GitHub) | fff7f3f069862bd6d4a1202e842c62ff93c981b9fefe582ca76320826999ff81 | 47 | 0 |
| Registry Dump of SAM Creds and Secrets | frack113 | Sigma Integrated Rule Set (GitHub) | 3e6aec9c264981c1c738cf2bb29a907f7fc01867b91cf31a6d4ba46d35129230 | 47 | 10 |
| Suspicious File Encoded To Base64 Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aa7741239d7d626a6e7b92ca2405578c580c500eef1489d3115aef2b00b667d1 | 47 | 16 |
| Tamper With Sophos AV Registry Keys | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e959b2b5eb8766c7e43ff42c19d740cc07c317b6e149c3d8a8901fb6440f5af8 | 47 | 39 |
| Access to Browser Login Data | frack113 | Sigma Integrated Rule Set (GitHub) | d3129d20de2d7890e0b90366b7a86a16ce9ca2c330c67005b72bfbd4105aa6d8 | 46 | 15 |
| Potential Goofy Guineapig GoolgeUpdate Process Anomaly | X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3de373579cf42d786c41c5e8a743ccfd4b7b5dc392778d033e34cb2284045399 | 46 | 0 |
| User Has Been Deleted Via Userdel | Tuan Le (NCSGroup) | Sigma Integrated Rule Set (GitHub) | 841f0c710bf05773a21dbfe0cad9bb0d7a04273cb01c06da89b03b588376c12c | 46 | 9 |
| Suspicious CodePage Switch Via CHCP | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 843024550fd9239f814fd3dcd7f1f768fe7316501173bb485e673bdb9abf1d63 | 45 | 9 |
| UAC Bypass Tools Using ComputerDefaults | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f0a2a0d6b300aa9b5100a3fcd8fda2e183d4c22f4c748ebf056b724965c77639 | 45 | 0 |
| CodeIntegrity - Unsigned Kernel Module Loaded | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 647cd15325a4886379855a1ac10656200efc53f23b4acdaedb38599f61f8edaf | 44 | 20 |
| ConvertTo-SecureString Cmdlet Usage Via CommandLine | Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | d44e437dafc368f03a2c93e0239ddf8a89f25343b0747774d67a1b84e48eca09 | 44 | 5 |
| Deleted Data Overwritten Via Cipher.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | d3e54936275abafa46d4b77891ec8f7fe6dd55d420fec613476144dd5d26f1a7 | 44 | 4 |
| Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 30c408d940a17c92bda9a7a3661343cb4849cb5206311af462dfa18993f9f0c7 | 44 | 0 |
| Obfuscated IP Via CLI | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f9580d1ddc8753d3db3625ce853e150314b148df4d5279a69d3781cc031996c9 | 44 | 2 |
| Remote Access Tool - AnyDesk Silent Installation | Ján Trenčanský | Sigma Integrated Rule Set (GitHub) | 8c68ebe0db23e4f70c3621d56e4ce298dcf255e61288342e6b4760dd0af96c85 | 44 | 5 |
| Remote Access Tool - ScreenConnect Temporary File | Ali Alwashali | Sigma Integrated Rule Set (GitHub) | 89e2039b23d63fdecc8053691737fa87fe9a15765e0720e5fd3f99847b67fd93 | 44 | 0 |
| Renamed PsExec Service Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80d7ce564675dedfdbf8c13540cced6343bb1708c20306349a108b369920509a | 44 | 3 |
| Use of FSharp Interpreters | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | ab87de6df917b48304e512d979d27ae1a0c4b3b63106217afe10aa1059195e7e | 44 | 18 |
| Credentials In Files | Igor Fits, Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | bb9fce766014ab2fb22106410384571f0217fa35e9914bdc3dd86452d8d4ed64 | 43 | 20 |
| Linux Base64 Encoded Pipe to Shell | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c1f964672685d4a8074a0afd7ede2d3d945dd73712ba41714baef2affeb3f567 | 43 | 0 |
| Monitoring For Persistence Via BITS | Sreeman | Sigma Integrated Rule Set (GitHub) | f9b2dcdba235a40678fcd4411540f98adc4caca054a247054eba6b040b37243e | 43 | 5 |
| Potential Regsvr32 Commandline Flag Anomaly | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0febc469c613c6ae3155a46fb291f1ebf74d38c09b1dbb5478c2f9f36af7b599 | 43 | 14 |
| Sdclt Child Processes | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 440b98d4bf30e3c39e7c17aa21aaa561647a4230e418cf901961b1604e27877c | 43 | 9 |
| PowerShell Called from an Executable Version Mismatch | Sean Metcalf (source), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ed7108b00b6a517dcbcd529d98b8c8e1ed551160e89bbf03699b6fe2e3b49fc2 | 42 | 5 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 3ac562f761dce56ddce1ba6581aace41ae7b64cf2b9fd64295b4d9d43c26aa21 | 41 | 10 |
| Creation Of A Local User Account | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | de6224d573389a0f865f0a33bd9bc3784cd12bf697150f8f8e0a9708a4e00199 | 41 | 41 |
| Dupzom Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 68250cc49ef2301bbd3bc5104579a2f065206211acccf6978a71097bddd98d6d | 41 | 0 |
| PUA - Nmap/Zenmap Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 4225d7662d0eec6d20893e2e9f75328a37cc7a24ba7f1932e3c993cf482e46d5 | 41 | 18 |
| Potential Credential Dumping Attempt Via PowerShell | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 860b2c5aa11877dcc332abdbcb448878b95f010531b81f04afb77fd2c7aaf9ab | 41 | 7 |
| Potential Process Injection Via Msra.EXE | Alexander McDonald | Sigma Integrated Rule Set (GitHub) | 973e933a4e2394093f5cce603e5ffadbcf35df2afd29c4dc0e1a002e06d9b58b | 41 | 0 |
| Default RDP Port Changed to Non Standard Port | frack113 | Sigma Integrated Rule Set (GitHub) | dc0c536bf76ee17ec594024c9b331e97f259d945e0c52ca0f468b6d323906d8b | 40 | 4 |
| Suspicious Scripting in a WMI Consumer | Florian Roth (Nextron Systems), Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | aa9824d65395eec625b665851ca4456503a8111e058eab9487c34500b30ee31f | 40 | 0 |
| HackTool - Inveigh Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2bfe4c7c4dfa23e7dbcb187f2cbe57e783da76cc66114dacec73520935d9bf78 | 39 | 2 |
| VMToolsd Suspicious Child Process | bohops, Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | bd7b9679a8b4de81c85050399fe9679a23a1ea3bb48ef31509d208152db750f4 | 39 | 1 |
| DNS Query To Ufile.io | yatinwad, TheDFIRReport | Sigma Integrated Rule Set (GitHub) | 948e697920a298ec6250c9c3157174bb53f162acfe6435ef673ac34c61021f2c | 38 | 9 |
| Disable-WindowsOptionalFeature Command PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 3becb58829ad8f8f58a8716e0deb90627269a650475809ba1704d3facae71a69 | 38 | 16 |
| Glupteba malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bdf42e1363c4a10d6bcc355bf1a7fd1cb54d15737372cbd542de0642fb26eb5b | 38 | 0 |
| MMC Spawning Windows Shell | Karneades, Swisscom CSIRT | Sigma Integrated Rule Set (GitHub) | db1e0cf723dcd4169ac8bc1fb3f0679715ccb323d3a3e42e23cc811efa0d9e98 | 38 | 1 |
| Potential SMB Relay Attack Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d702a3f44f93b4f3f9c5cd7b73d3901b2db7d1b3db3e051b5135849e3f812ecb | 38 | 0 |
| Regsvr32 DLL Execution With Suspicious File Extension | Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | f64c98dfb55189f8f65b8dc8c77a020a4c869933083e1b3ef087e4dba264e864 | 38 | 6 |
| Remote Access Tool - AnyDesk Piped Password Via CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6e0d326cf1248be3c35ad4a980fd0b6fd00f190e2b6bac28494062e11f1d9db1 | 38 | 1 |
| Remove Account From Domain Admin Group | frack113 | Sigma Integrated Rule Set (GitHub) | 2b323eb1de293c4dbf91041f23c3507c4aaf71c4bc36b04ccb8fc5731995a398 | 38 | 17 |
| ScreenConnect Temporary Installation Artefact | frack113 | Sigma Integrated Rule Set (GitHub) | cbf91c8dea063cd256525b4053b25b4afe0528021d02d0b0d380321ebc5c9a7b | 38 | 3 |
| Sysinternals PsSuspend Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a5499c523df320d4d17393e8439d7a17bdbe13b398428715aa85f865a9ac040e | 37 | 5 |
| Unmount Share Via Net.EXE | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 407e4bde1473325159e680d149f0f254239a0a299c46a43635758710d7592f65 | 37 | 6 |
| Adwind RAT / JRAT File Artifact | Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | a7648695383d3c54094a9a623178342f9965ac5977fdf3c70016e06b5d12fbdb | 36 | 1 |
| Changing Existing Service ImagePath Value Via Reg.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 3a4567bd735e7ae20a9b3bf3921ad6e9acdec3b957cdbdb4eebfd6feed5670d3 | 36 | 17 |
| CrackMapExec File Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 254c83f0491d9e699fbdf23d06bc63ef62e908d45901cb872d0268ad51aa0543 | 36 | 6 |
| Drovorub Malware Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 00861734ad4b4865c4fd337b091aace8388feda059f681fa1a0d0a6659b55d31 | 36 | 11 |
| File Creation In Suspicious Directory By Msdt.EXE | Vadim Varganov, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 43c5a24c90e796a35f043d1ffc474c71db1b33cbb25ae045be1efab7477bc486 | 36 | 5 |
| Microsoft Workflow Compiler Execution | Nik Seetharaman, frack113 | Sigma Integrated Rule Set (GitHub) | 360867571c752aa9ec6da95a6c3db7a37dda60e6627df594f31f89692b8063d0 | 36 | 7 |
| Named Pipe Created Via Mkfifo | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 77f498d597306f31d012acd8f1cacd8b91b660138f6b7da5223d25351be26d4c | 36 | 28 |
| PUA - DefenderCheck Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d29242190c6dffd993895588fbb9a2918a3e0e636e3cd6560339d9ae469f3bdf | 36 | 1 |
| Potential Persistence Via PlistBuddy | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 0850dc4a94c84042d7171de3546d552afc54d9d8acb5e48096ff4ddb12b7691f | 36 | 1 |
| Remote CHM File Download/Execution Via HH.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5544bfe63d743fba858c3a75c7dd46a76520367a1278b1fe3d5c5609dc42fc4a | 36 | 29 |
| Suspicious Rundll32 Script in CommandLine | frack113, Zaw Min Htun (ZETA) | Sigma Integrated Rule Set (GitHub) | ee7fc4aa3dcf06ddc37a9dc24c2fe5a2d394cc53d560d2214a8f5455eedb6291 | 36 | 0 |
| UAC Bypass via Sdclt | Omer Yampel, Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9e30ed5d0167ae542ae090b30e0049496a63c5c9c63bb37e80d62532640cfc6b | 36 | 0 |
| DLL Load By System Process From Suspicious Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a341c10327c4d8c5407ea5b704ad11932a391174e37332792a2b456adf4ee9b8 | 35 | 0 |
| Pikabot Fake DLL Extension Execution Via Rundll32.EXE | Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d2e7f69856c6eba054ab2d9b33d6e18e37f32395e2ec959833d093e0f329e64 | 35 | 7 |
| Potentially Suspicious WebDAV LNK Execution | Micah Babinski | Sigma Integrated Rule Set (GitHub) | 6e4a67b9f486826d18a1ce99c8aee3a5716e826b350437dd6d7b2382e9e6e61a | 35 | 0 |
| PowerShell Logging Disabled Via Registry Key Tampering | frack113 | Sigma Integrated Rule Set (GitHub) | e08c8016940ec5fbedc1d8b08fff3fb1c6bdf197e8fea3c4fbceaa55058f07a3 | 35 | 3 |
| Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale | Sigma Integrated Rule Set (GitHub) | d5b76fa3cab42361e745d7a1c59d40820a1cab108d30fd2d9fef6c3aade085b4 | 35 | 3 |
| Suspicious Mstsc.EXE Execution With Local RDP File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 205a65cd894184e7d2a59da78310f8cb3262995f30c3015a05293c7754e5916c | 35 | 5 |
| Suspicious Nohup Execution | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | d30303a3345f6a0b7f9c34a75b5a00dd959e4955da823dbe1207107eb2753920 | 35 | 10 |
| Potential Unquoted Service Path Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | af6fba732192700a3e6067cd1013a488ce707b800e7633a9a7aa67b66fd57ec2 | 34 | 4 |
| Sage Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 71d449cc65c29ab2e4fee214298f208b87225361a0f65f0f2e73bfd7875b1ef7 | 34 | 0 |
| Script Event Consumer Spawning Process | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 99d3f28b790cc9edbf77b5fddd446d2ec05f85ee550310a2a3863e3171a9bd54 | 34 | 0 |
| Unusual File Download from Direct IP Address | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a2b6862e0b28e1527a68e771f4a09cc77cc168e10e6c8d978df736c414320a01 | 34 | 7 |
| Wdigest Enable UseLogonCredential | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 549fd181a20cb87efd19fddc858140d8495cd434cc6a9b662dcc7d8bb35804ae | 34 | 1 |
| AD Groups Or Users Enumeration Using PowerShell - ScriptBlock | frack113 | Sigma Integrated Rule Set (GitHub) | 1bccdc208f191ae10d0fa42675f08a37e14e4f39ff07da3fc0c15510993f6e9c | 33 | 17 |
| Bypass UAC Using SilentCleanup Task | frack113, Nextron Systems | Sigma Integrated Rule Set (GitHub) | 09bd87cd156913fd5b64ab548f700258c49833a235b205c8494f05634670d8d9 | 33 | 3 |
| HackTool - Generic Process Access | Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | d75877001c4c1624b11d25475f47d8be26299f4d7b63b5f142efab818fb42372 | 33 | 0 |
| PUA- IOX Tunneling Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | df765eaa567c547d6a5b1ade1739bfcb54c5c9a76cabb60de34451560bdaf198 | 33 | 0 |
| Suspicious Cobalt Strike DNS Beaconing - Sysmon | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b55c667fef3a16ff308f801e44896c36f9754c98321c12bc516a13477130f4fd | 33 | 0 |
| Binary Padding - MacOS | Igor Fits, Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 02cb79a02d071bcc40631d144c5a778d3326e0d2226089538e755f27dfac2048 | 32 | 28 |
| Credentials from Password Stores - Keychain | Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0a2ce7410c4271e6c41926b4fe0f5903a05d4a02cd8dcd4a273e86065b3f46b6 | 32 | 31 |
| Frat Trojan (Loader detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ba827fe25e86d6bf964385767d27442482e273923ce0185d7c335239fda7a2b2 | 32 | 0 |
| HackTool - Htran/NATBypass Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | becb1782f61cc6f06558e9bdda4cbc531606bfb0b4b92c0667d6dbde99a67b77 | 32 | 1 |
| Linux Remote System Discovery | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | b76b38e7cf87e1b2f37b568047e66cfd972f62fbfdebc15ecff4adb21293b524 | 32 | 27 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6b5efce8659d3a3b0a47725b973669cf5b071a5a685525042188d1670c7b2d82 | 32 | 4 |
| PoetRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8d515240682e798faa78be0b976770c35f93bbf484d6a3876b1f640670a5aaee | 32 | 1 |
| SQLite Chromium Profile Data DB Access | TropChaud | Sigma Integrated Rule Set (GitHub) | bfe106c088dbc3f0a1e36442a1cffcf01752c0edc0253863c36640731be1e240 | 32 | 0 |
| Windows Credential Manager Access via VaultCmd | frack113 | Sigma Integrated Rule Set (GitHub) | 3444e8af7fe049353761c697d9c300841002cb9979f0754558abb2baaa8c915f | 32 | 2 |
| CobaltStrike Load by Rundll32 | Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | a92c2c006c3ed7f60668afcb77342db1049d166af7ab991eb0d6cd8c3e2b2a59 | 31 | 1 |
| Disable Windows Security Center Notifications | frack113 | Sigma Integrated Rule Set (GitHub) | bdccaff58cca68f197ac8f69e4b633c0bb114e3868020f4970296aa9e2866485 | 31 | 4 |
| Enumeration for Credentials in Registry | frack113 | Sigma Integrated Rule Set (GitHub) | cf1e24c4e4b805857977d873b41de8cf08d618fa56ffb27ece5e9b41e84807d6 | 31 | 15 |
| Linux Package Uninstall | Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5e489648e7cddbfb6f319308353866e71f83fcd5e3663e83ecf5f6f7f01383bd | 31 | 29 |
| Potential PSFactoryBuffer COM Hijacking | BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 37782d04601239241ebe09601b69caf3da92679e05edb94dcf699346e06be653 | 31 | 9 |
| Suspicious GetTypeFromCLSID ShellExecute | frack113 | Sigma Integrated Rule Set (GitHub) | 88dfd5a01f282c28ca7996397793be5f0d467366ce982def90143e1503ce84ad | 31 | 0 |
| VjW0rm | Joe Security | Joe Security Rule Set (GitHub) | df4c3314c54ac26310706f85324f7952f1a6f38db2953516f58f8f43d67918bb | 31 | 0 |
| Fireball Archer Install | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 82119a59aede1b373e13f532ace644de8571caff9f04869378270de5b5881bc6 | 30 | 0 |
| HackTool - Impacket Tools Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bcdf3f22e3474c8f1ea65e450422f64bc2fb74de766f420de7cd57827679d7f7 | 30 | 3 |
| Hide Schedule Task Via Index Value Tamper | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c330740ff90c619e583a655e80d545f5ee7c435e58ee3bc2365a0eba1deaf010 | 30 | 6 |
| Indirect Inline Command Execution Via Bash.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | dfbb51364e0deb6fd01f82a709f96be117d3f57ab06c8ac5718d944050856808 | 30 | 15 |
| Qakbot Rundll32 Fake DLL Extension Execution | X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b67830e1ab8ef95eab597f2514e4e830d57cd5b3070020fe62fb7a33c5c9a514 | 30 | 3 |
| Sakula RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | dacddd5435eda2fc54dcf6d585d0e82a0379e27c838a82bebc8ec9f0c0ac9921 | 30 | 0 |
| Suspicious File Characteristics Due to Missing Fields | Markus Neis, Sander Wiebing | Sigma Integrated Rule Set (GitHub) | 608e0e17d25bcba31de608552a073a6677d4f626ab55bce353a686eda3f60bcc | 30 | 1 |
| Suspicious Greedy Compression Using Rar.EXE | X__Junior (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 94e8734168825ab4d47d1adb94a7a1c9bee8ff96dd059cc958d572d0ce091258 | 30 | 0 |
| CodePage Modification Via MODE.COM To Russian Language | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | d24e5c8054aafd6a688f580d314146106d7ba097d4f9bb630c6ca4f260c4f712 | 29 | 0 |
| Container Residence Discovery Via Proc Virtual FS | Seth Hanford | Sigma Integrated Rule Set (GitHub) | 442971bed1da8160e4493d1cbb6e206863e44b4d3bc071439930f75b57155168 | 29 | 26 |
| Hiloti Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f8a63428721bcc8ad6de541a48e0a1f21d8e73a4f114603bcb7e9066042c502c | 29 | 20 |
| Netsh Helper DLL | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 67f08eeb3f74c7dcf4b8985150f3df56b390aec0e1d3edb45a75c360f73c0134 | 29 | 23 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 91a0bf780670902c97c569d46226158bdd49738004799b58cd63cc4c9d63ea55 | 29 | 1 |
| Hidden User Creation | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 809fde43d8c51148345ce94401363b56daa369da6e6bdb766f26a3a3af847f65 | 28 | 28 |
| Mavinject Inject DLL Into Running Process | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 22a0144a5fa16f342a409df0a0b3ea1292a72b8e43c7c844bf06d68f5330fbf4 | 28 | 10 |
| Suspicious Service Path Modification | Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8583e6aef0800332fe3fd71771daa3901bacd1a4e3b8ae12333da5f445913332 | 28 | 5 |
| Inveigh Execution Artefacts | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 04a3ff78807e08f6f792e8645f0d500d0b8ee72ef7ccf43d29295bda7cfa1c51 | 27 | 0 |
| Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy | frack113 | Sigma Integrated Rule Set (GitHub) | 59b625af50fa92cc05953cfdf68d6c931bb58a09a058e54757d152acfce5923c | 27 | 19 |
| Potential PowerShell Execution Via DLL | Markus Neis, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5980c0048e6d0468659094b73e0c348afcf2c52a7842e03089c1279a023c70c9 | 27 | 13 |
| Renamed FTP.EXE Execution | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | 1b0331796dea16652e2a96f7864c155f7ff236142499897fcba7142c8eb1a007 | 27 | 4 |
| Scheduled Task Executing Encoded Payload from Registry | pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5e1d76eef43af47ab79dcfbdbb15919232ca5646aef7cc201d8aa1191b2d67f4 | 27 | 0 |
| Successful Overpass the Hash Attempt | Roberto Rodriguez (source), Dominik Schaudel (rule) | Sigma Integrated Rule Set (GitHub) | e0a74a014c641b36f56f6bab87d33f003162f1e4a4e97882d055aa0c2fbc4064 | 27 | 1 |
| Delete Volume Shadow Copies via WMI with PowerShell - PS Script | frack113 | Sigma Integrated Rule Set (GitHub) | 7435e1880cdd78f155ad539eaf8348f3ea0d6fa1183fac382443553cac2159be | 26 | 1 |
| PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 2abd81b6396ea687490b2d703ce07c1abd135ba398d89ab839c66e6a43f713f0 | 26 | 12 |
| Potential Keylogger Activity | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6e703d50e111ee23983e8b6aa4d4451e1e59158b2bb8bd0c0a7bbe38c708c4e3 | 26 | 4 |
| Potential PsExec Remote Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 534500853b096a12173d832563555b71c1116d432b7dabba079946461ef7e617 | 26 | 2 |
| Powershell Keylogging | frack113 | Sigma Integrated Rule Set (GitHub) | ed239970ee8d5e197f594aacc2fd6f6f6d3dae189b2b2aaea8c2f5d100939e42 | 26 | 10 |
| Sdiagnhost Calling Suspicious Child Process | Nextron Systems | Sigma Integrated Rule Set (GitHub) | 4254515e2214920c73b9dc8a7c9f084744461c248ca9e42ffb9e113d325a2615 | 26 | 0 |
| Suspicious Dropbox API Usage | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fe21430fab5862ef48455258a0cfede5d05b0a4f20d0d459862c92c7b18903cd | 26 | 5 |
| Suspicious WMIC Execution Via Office Process | Vadim Khrykov, Cyb3rEng | Sigma Integrated Rule Set (GitHub) | 651f584b690a75e06a7e634cec7a11b17555debdbfffe3f765a988b80ffeacbf | 26 | 0 |
| WMI Persistence - Script Event Consumer | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 3b638ebc248d5ac99c1adb404e0b5f4adc3784b9af6f02b296381a950e9e8fdf | 26 | 0 |
| Dump Credentials from Windows Credential Manager With PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 5058b79d96d2165425d539e148ae3fe578dfa62b75b71f82ca2bd6bc347be4d5 | 25 | 5 |
| MacOS Emond Launch Daemon | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 839422d12551f797abb514fc052bfc852f3811d1b983090ecd6b6cf2f22d8ed9 | 25 | 0 |
| Malicious Driver Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | eb9cde748691b89900d3912132c7152f33c227584d841ece03cb44a1db24b597 | 25 | 0 |
| Potential SmadHook.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f1ba900adfa240d28790516f5652210eac67fe14d06909d4a23dc7da3e2351d9 | 25 | 0 |
| Potentially Suspicious Regsvr32 HTTP IP Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bb39752a4e439774cfd5a035f61c530f6c75b6d694b088178e6c155f78f5563d | 25 | 1 |
| Removal Of Index Value to Hide Schedule Task - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 23fe3e0423af9fe044d336e0f9a8fd2bc07e40d06ee7e394c6c7fd1bd44273ca | 25 | 4 |
| Suspicious PowerShell Invocations - Generic - PowerShell Module | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3f1f1d4b840f1276832b328fab68511c28f6b7918e887279b03e6ea4735bef7d | 25 | 1 |
| VBScript Payload Stored in Registry | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dc67cd797236fcf12f7a5e58c0d5fc50318e74f58c9d17e6bf7905e87c5a9c21 | 25 | 14 |
| DLL Loaded From Suspicious Location Via Cmspt.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7fde3c5ae3c028a596ad8a76eb1a4b7ab0f64f939f847ef0f25f723659fbae8a | 24 | 0 |
| Delete Important Scheduled Task | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4b6a191a02d514b34f125957168469a325b2720a4b3592aab7d5528aa5afad64 | 24 | 10 |
| Delete Volume Shadow Copies Via WMI With PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 57a9202655d8133d3a5eb0a9d51c9f5dedb6b15cfc700005f6f0d686df4f2ba2 | 24 | 0 |
| Office Applications Spawning Wmi Cli Alternate | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 4e7dcf0bdb7133795dc5f59a3dce3f19d7a78ad417e3b41e7dea915b76bdfd5d | 24 | 0 |
| Potential CommandLine Path Traversal Via Cmd.EXE | xknow @xknow_infosec, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 66a17168752e700a1b57242bfc6b9a345959b5142a99316865e1d44df709c32f | 24 | 12 |
| Suspicious Unsigned Thor Scanner Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 845ad09a7d56e7163ba8162af3cd6b1ecb26b7cc95443795b162eceb8659f992 | 24 | 0 |
| Uncommon Child Process Spawned By Odbcconf.EXE | Harjot Singh @cyb3rjy0t | Sigma Integrated Rule Set (GitHub) | 7e8cf2aa9c53d27e74ec5d758c244e7939c04f5252650030b441077572cfcbe2 | 24 | 0 |
| HackTool - LocalPotato Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3830810896e4e4a4cb02898a844b8488dd8240175e569b96a950d8ae6bcb9c88 | 23 | 0 |
| Powershell MsXml COM Object | frack113, MatilJ | Sigma Integrated Rule Set (GitHub) | 38c7f03136a955c75f92f48bde1f9544a6d996418d05fae60f1efc916f0ea88a | 23 | 3 |
| Privilege Escalation via Named Pipe Impersonation | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 109e6e5533daa3625414a7f58f6a8b34392f3050c582146cfe13876cc85fd9df | 23 | 1 |
| Use of VisualUiaVerifyNative.exe | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | c2fb9169c48cfbf7abc02540d8fc5c9d887473aed872aed30dbd4f8a9ead5a5b | 23 | 8 |
| HackTool - PowerTool Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 24223dcd765ae37fd40f3af1054e55119422246e8933dc29b1debbd1cfc67d00 | 22 | 2 |
| Microsoft Office Protected View Disabled | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6d5a609a6b004ff13f827d2c892bfdf14add4eea1de46a0f4d8911bf8f4f7bb5 | 22 | 2 |
| Potential RoboForm.DLL Sideloading | X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | abaa40290a66ddc6c6b30a8e4d86fb5d86e943057cc9bd8c4e412056329325d1 | 22 | 17 |
| Powershell launch wmic via class | Joe Security | Joe Security Rule Set (GitHub) | 1f85dfeaa80a160e0d553a3ac8d1d5139a7622d4d146c43f52eedbe005757ba7 | 22 | 0 |
| Removal Of SD Value to Hide Schedule Task - Registry | Sittikorn S | Sigma Integrated Rule Set (GitHub) | b6b61a17f356fe2363775995997e1051f0931f70e7446ddf4e165f27cc717622 | 22 | 0 |
| Suspicious ScreenSave Change by Reg.exe | frack113 | Sigma Integrated Rule Set (GitHub) | a87fe4afa527fd01cbb17ee26918bbf87dacf9b429f97ede32b8831532ec4d59 | 22 | 3 |
| Suspicious Sigverif Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 56643225c1e622a648289fb75934bcf15ac76a8bdb22a911e9f06d61e7db7077 | 22 | 0 |
| Taskmgr as LOCAL_SYSTEM | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d1e002f037bffd9b91901474efbd1036622a788849898b81570d37d3ba34513 | 22 | 0 |
| UAC Bypass Using IDiagnostic Profile - File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 31d928b4b0adc82d81a6490585e87953d808c285ed5d3b25bbe1a461234e37f6 | 22 | 0 |
| Use of Scriptrunner.exe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ee66b627cde43649f28de57c23b192a559378134d0f4b90b60b77109c8490d7a | 22 | 0 |
| WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 81314be6adb2ae8f1bd104c4f35d68c8ff62ddfea655e64c5b1c92082b72d5ae | 22 | 0 |
| Winword Drops Script In Startup | Joe Security | Joe Security Rule Set (GitHub) | 04a0af687c3b9094f9252dc38ead308fae7facf86cb7e4bf728075c9b17ed9dc | 22 | 0 |
| DNS Query to External Service Interaction Domains | Florian Roth (Nextron Systems), Matt Kelly (list of domains) | Sigma Integrated Rule Set (GitHub) | 9cd7d0464b2ec471865497eaad8a6c4d1a73db7c60ab90f17e39cd455bb7c847 | 21 | 5 |
| Execute Script with spoofed extension | Joe Security | Joe Security Rule Set (GitHub) | 206390e3b1deba575d9f4b3f8321fd015223f5177a8f486a56f6d74cd51afab4 | 21 | 0 |
| New or Renamed User Account with '$' Character | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 6c5cfe607309f4bc96c1644752af6a875fd27ea6910ddff26e40a4ae64a26e05 | 21 | 1 |
| Potentially Suspicious Named Pipe Created Via Mkfifo | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e0cf499ab24f3368c176a6b60e38d07e517a3bb7d26f12ed0da003e47fb50b80 | 21 | 14 |
| PowerShell Get Clipboard | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 524490479b353ff8d877b617014d2cbb9a65d782e87caae21e923760fd2ed255 | 21 | 1 |
| PowerShell ShellCode | David Ledbetter (shellcode), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a8f93a6a21c54d549a6d042e48c067948add81f96231c70f83cdfa345b1f6cb3 | 21 | 0 |
| Renamed SysInternals DebugView Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1de55c288a6fd75ce590378bcc3b9bf02a66b8d45de5928d17d08339f5182586 | 21 | 1 |
| Suspicious Get Local Groups Information | frack113 | Sigma Integrated Rule Set (GitHub) | 098feee88c8a66070a3ec1f3c56be0ede46676cee2b799ba6d309360ce563ba7 | 21 | 11 |
| Suspicious Remote Logon with Explicit Credentials | oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 3f8d6ccb4e7555cba08aa888810b970a1a0a1f79d2a65b51f323b466542ae099 | 21 | 5 |
| UAC Bypass WSReset | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 03fc63d53dd6f6eeb7fef5848db2e4cd11fc7177c187c398320bb3934b751d87 | 21 | 10 |
| Vulnerable Lenovo Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b05e5f1c810aad917ec95aa917177c7a3075f44d37d2ed2b21e953dc69c99eae | 21 | 0 |
| WMI Execution Via Office Process | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 58a51088691ea6b0bb320e61f961a96216f54913353095e97a5b5c6e94ce74fa | 21 | 0 |
| WMI Persistence - Command Line Event Consumer | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 2d6a5c8b5ff6663f305abc5b7d611b99089e2cf4ad71b0b3f9a89d8d05d71a89 | 21 | 0 |
| WMI Persistence - Script Event Consumer File Write | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | f4ab9cd44db2481795fe0edd858471bda0d0b73d8e406124bf76a2a074ac5360 | 21 | 0 |
| Arbitrary File Download Via Squirrel.EXE | Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | c19e1a6a54ccf6c55fb5923bbc85abd4addae819675e8e4958d9e83689e50c81 | 20 | 19 |
| HackTool - Certipy Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 08313c93f25fcc42ac92fbc76a4534fa917a58a2272262a4f567000b39ad92ea | 20 | 16 |
| Hidden Local User Creation | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 084f8f629ce19b2d68d7e27615e59a3ebea0e92f94d25fffcdf6981152cf5efe | 20 | 1 |
| PUA - 3Proxy Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b64369f53ef70c3d7e1d585af2907c0131463758488f404288df85bbb2891ee7 | 20 | 0 |
| Potential SAM Database Dump | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80a403e95306ff656dab00a85d9565922c30f10b9cceccba105e76eedb357bc1 | 20 | 7 |
| Potentially Suspicious ASP.NET Compilation Via AspNetCompiler | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 58f889a08ad6ce38a9295b6b87119a8d48c26999c14dd5829b08aea2631a5e27 | 20 | 0 |
| Sysinternals PsService Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 647bce287d915da46bf01fa65706878514260f75bea7273d4c5eee115ac0b031 | 20 | 5 |
| Add Windows Capability Via PowerShell Script | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f0193a082ffec8bb49a0621541982fe0c6a2ba5f5b536f62789f83021ee4270a | 19 | 12 |
| Bad Opsec Powershell Code Artifacts | ok @securonix invrep_de, oscd.community | Sigma Integrated Rule Set (GitHub) | c536e387a5fd3183e46be3c9a492ab73e5ade9b45179341ea25fcfe383cee92d | 19 | 1 |
| DD File Overwrite | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | ae140eaae48e1659eb9013e9c7758cc3ebb59100fc5bce9ede4e8a0ca0fb76b7 | 19 | 19 |
| Exports Registry Key To an Alternate Data Stream | Oddvar Moe, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | 9695789356ce1e4c280773e1a4990ee193bc17704d78da2b4acb48eed6061293 | 19 | 0 |
| ExtExport.exe abuse | Den Iuzvyk | SOC Prime Threat Detection Marketplace | b74bcba954f168601bf9276abbb38f732599a67e11aa264ce29f8bc3f056aed3 | 19 | 15 |
| LSASS Dump Keyword In CommandLine | E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5e648013d43c5992b13c647c1b522a289f737e3c1ef665572f75f913fde57c5a | 19 | 6 |
| PowerShell Downgrade Attack - PowerShell | Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) | Sigma Integrated Rule Set (GitHub) | 68dfd4dca345ef6d2fe87835db75f6e538426102929780a6f37dddb7730cb7e8 | 19 | 0 |
| PowerShell Get-Process LSASS in ScriptBlock | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cac21fdc92116671a9e24502beff8b3cc9b77c6d7a23b8f10aefa65821fd9014 | 19 | 1 |
| WMIC launch script from xsl file | Joe Security | Joe Security Rule Set (GitHub) | cc58aa96e11657d0df0ee460019755b19a5929a979fdadd56569d6b35c03fdba | 19 | 0 |
| Credential Acquisition via Registry Hive Dumping | Tim Rauch | Sigma Integrated Rule Set (GitHub) | ba431c90356b826afe0f0c811dab13c54cbe689123f1167962b6bd8f23edbb25 | 18 | 0 |
| File Encryption/Decryption Via Gpg4win From Suspicious Locations | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 18478181b6b617e46cc3c32642d9a39ff265353a398f2aa515a11e6b0fc2097e | 18 | 0 |
| Forfiles.EXE Child Process Masquerading | Nasreddine Bencherchali (Nextron Systems), Anish Bogati | Sigma Integrated Rule Set (GitHub) | 32fe36abb39d468ad23cc377de33068c295dce79c9d36eb1c0b7fc94d2012270 | 18 | 16 |
| LOL-Binary Copied From System Directory | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f3c07a8418c3bded0e6f5bc97177ca9d501ba33f7bc9936b907b11f939603b14 | 18 | 0 |
| Netcat The Powershell Version | frack113 | Sigma Integrated Rule Set (GitHub) | afccc7dbdf0a361ce026bc9a376283952eb427865b9051cc07fd5ff5ed819482 | 18 | 0 |
| Potential Suspicious Windows Feature Enabled - ProcCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 357a1509ab7f78c2a398c655fccc9dc788108fb9790efbdce90601bcd6d4b4de | 18 | 9 |
| Renamed Sysinternals Sdelete Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7d63599d287fda108a45075e54ff5b89384e0fbceef8bccec56b981f485b278c | 18 | 1 |
| ScreenConnect - SlashAndGrab Exploitation Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 23407cdf316994ee153a1d8c66bd52f5a92b9564c834831e984ea04d66dc2f92 | 18 | 0 |
| Suspicious Debugger Registration Cmdline | Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | bf194ab090c7130529a9fd6a7f876d5fc008ceecf627db81eef41431ffaa3c53 | 18 | 3 |
| TeamViewer Domain Query By Non-TeamViewer Application | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f5bb3e63c485ed446ed15d107875dc222ef1503df0aa3b709ca9bd920eaba52 | 18 | 8 |
| Wlrmdr.EXE Uncommon Argument Or Child Process | frack113, manasmbellani | Sigma Integrated Rule Set (GitHub) | 67d3612b65ef2b4db5ee2d86f8437cc82d5e33395a852f7540858df8738250fe | 18 | 0 |
| Bazar Loader Detection (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6e25203533b4bcc3b9ce1805fbf4ec196d2fd6139dcf17880caf0e2952c3ebfe | 17 | 0 |
| CrackMapExec File Creation Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 025208b5b73f1640ce17844eb62f40d4ee3a9bf72b84c9cf66b9777b72e2ed33 | 17 | 1 |
| HackTool - GMER Rootkit Detector and Remover Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e47f51603e07d3225e0193822f65d9ce5fb78441750008f7e5ae695626585c7f | 17 | 0 |
| Indirect Command Execution By Program Compatibility Wizard | A. Sungurov , oscd.community | Sigma Integrated Rule Set (GitHub) | d4b25cba1a95e034ae6766147690611472b8ce274332b1aee27da6faa04335a0 | 17 | 1 |
| MedusaLocker | Joe Security | Joe Security Rule Set (GitHub) | 210f9984c24831780960074692a8e0641937345a359f29224036fa53ab77414b | 17 | 0 |
| Microsoft Sync Center Suspicious Network Connections | elhoim | Sigma Integrated Rule Set (GitHub) | c122f750d19364e5cdb16e7fcce3cd01da31e9d258cfd5dc255864758d7d44b9 | 17 | 0 |
| PktMon.EXE Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 2718243600ba0f2b3eed38a165f571cb8da2eeb23fd54844632d62088a47ad03 | 17 | 8 |
| Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b027ab789fb9aae6408830caeec9ddb51799862bf5bc8adc8cfe393d6483a66d | 17 | 4 |
| Potential Persistence Via AutodialDLL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 164cdc408856848b0eb1ce6165a865e2b8dbd9fcf0b5aa393fd7f1af640ff05e | 17 | 0 |
| PowerShell Write-EventLog Usage | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fa5822a3aeab0960eda08e8d46a8126db47dc54aa6a0e0ae7a7163dc7fe9746e | 17 | 10 |
| PsExec Service Child Process Execution as LOCAL SYSTEM | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f568e89bc8387361d0bc168c8a46059280d10de1ecffdc0e99533b7b290401af | 17 | 1 |
| PsExec/PAExec Escalation to LOCAL SYSTEM | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 95ab10477326346ad231600df85597b403502c24947739b6a2b5bf75469a3024 | 17 | 4 |
| Shadow Copies Creation Using Operating Systems Utilities | Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 16e1527c32b0f67a6b8e3dfaa73ba62c13f73f46a6b0d5962dd823d9ecac933c | 17 | 4 |
| Suspicious Child Process of AspNetCompiler | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 740b947f37e23aebf12426023d92751904b9df145f63f09b91fdabf8d5aee1bc | 17 | 0 |
| Suspicious Key Manager Access | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c7e5c778b0f4b6273f393fd9e32d97fe4145b2b1b3a8de87a9e02cd66f9c4383 | 17 | 13 |
| Use of OpenConsole | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a98f3c123f3a93c1b00c4d125f1350e14a15b206767e6a109767a0229611baa2 | 17 | 17 |
| wmic launch powershell and execute encrypted script | Joe Security | Joe Security Rule Set (GitHub) | 016a456c70d6e45a65219e2ee0e3972cd7104bf98c318e2f088a07f71fde0d43 | 17 | 0 |
| Alternate PowerShell Hosts - PowerShell Module | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 5b34558f1c4d3065989635055533ba223585e99be44e2b0e319dfc6946c50ee2 | 16 | 10 |
| Dacls RAT (Lazarus's Linux Malware) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 79cabd2716a91ac3ac201a106a3c135e584d110d8527ac138457a5b89fb2b2a6 | 16 | 16 |
| HackTool - SharpChisel Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 23eb4319cc6c1995a632adb591fa9b089822a7ef6061519fdc43832fac6bfb69 | 16 | 2 |
| NET NGenAssemblyUsageLog Registry Key Tamper | frack113 | Sigma Integrated Rule Set (GitHub) | 1c1e1293dd905ae64df7a2e7f1182a624c3a618d411c80d0aff46ed4562d6da4 | 16 | 0 |
| New PortProxy Registry Entry Added | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | e95b67f51925e56d5e1ce56881ff5e65536dbd80108577670b3adf94d708f2e7 | 16 | 2 |
| Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 9c3168b8b2ff965a5cf3ed36f4ce722df9e09021fbbc44075916c77d2132bc8f | 16 | 7 |
| Potential PowerShell Obfuscation Using Character Join | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c4862257a12a109601071c91c17d133a44fa8e8b4a3f950b8bee653e573678bb | 16 | 4 |
| Potential Remote Desktop Tunneling | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | b0551b45d814be91563636b774668bc85acfc296a30640e00aa036f4813d0809 | 16 | 4 |
| Potential SquiblyTwo Technique Execution | Markus Neis, Florian Roth | Sigma Integrated Rule Set (GitHub) | 293439c3a9a4af09073b054953f425c95028a6ac98eddc611a461090bd1f3373 | 16 | 0 |
| Private Keys Reconnaissance Via CommandLine Tools | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2a86897d4c284135c8e21105377149da6e12d9f57525bfdccdfb55cf4b3425fc | 16 | 5 |
| Raccine Uninstall | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ce4fb10349cd95756b2f98a27b259d71c99ec9e0323815f2e916737fcbd1d4ba | 16 | 0 |
| Remote Access Tool - ScreenConnect Remote Command Execution | Ali Alwashali | Sigma Integrated Rule Set (GitHub) | 12aa67b79c3edf7fd84e93ece836d07fcd28e945a17f4c2210723213ffb42055 | 16 | 1 |
| Suspicious Processes Spawned by WinRM | Andreas Hunkeler (@Karneades), Markus Neis | Sigma Integrated Rule Set (GitHub) | dff6f482b1c3296a1eba449d732fe05e7b9a61f56c3849298ee9d06cec81c941 | 16 | 0 |
| Abusing Findstr for Defense Evasion | Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 47d19568dce3538a5fd8f2ddbd8388f28dbd91d200dc9a91d8166cb957ace155 | 15 | 8 |
| Anydesk Temporary Artefact | frack113 | Sigma Integrated Rule Set (GitHub) | e10fbca4d86522aeac83abdc331770c474bf85a4fbe87cff23642eb6a498969a | 15 | 3 |
| CertReq.exe Lolbin | Den Iuzvyk | SOC Prime Threat Detection Marketplace | bc9b5e9188d37350da57ebc0b5b9ccc8a2ee828e827a15edb38904b64317a291 | 15 | 2 |
| HackTool - Dumpert Process Dumper Default File | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f98998b2f0e9bb08954d741777bfdb257c7cb3dcce96f88af84ecf966e2e5695 | 15 | 0 |
| Import PowerShell Modules From Suspicious Directories | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d3babfc30026e6742962ab48698047f9a8036f0689ca28804828a0f4c74c1a6 | 15 | 14 |
| PUA - Wsudo Suspicious Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 52ed387697917fea6508ac90f395dedf45d52b74d34188d52bf6be42b4ab9697 | 15 | 4 |
| PowerShell Set-Acl On Windows Folder - PsScript | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afd1a2b3a7d64a4c20cc388003d71422020c407abe143fe186e350fdcac57a3c | 15 | 10 |
| SafetyKatz Default Dump Filename | Markus Neis | Sigma Integrated Rule Set (GitHub) | 5b2f81ece2c70e3e5e4dd770e0b9c755c90c099bf527d2b257d43e1193585d13 | 15 | 0 |
| Suspicious Get Information for SMB Share - PowerShell Module | frack113 | Sigma Integrated Rule Set (GitHub) | 8f4c645fe661dc0ebdeff288f1761a20acf930f02e4c51bc48e6bafc245c1006 | 15 | 9 |
| Suspicious WindowsTerminal Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 38cc71193a6a791f4d2ddb67fdf3a6baafab25ec9f4c861b11fbdca1c94a3f08 | 15 | 0 |
| Cat Sudoers | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 39e0f78f119c00983f3d546cbeed2a8f110ed703f5c5b1b18733a235b5fd0b02 | 14 | 11 |
| CodeIntegrity - Unsigned Image Loaded | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b306695b6bb97e25e9d1a099c04eef42798259832fb062ad308fd797016c49d5 | 14 | 13 |
| Creation Of Non-Existent System DLL | Nasreddine Bencherchali (Nextron Systems), fornotes | Sigma Integrated Rule Set (GitHub) | 3177080de9eacb01db500eb08111e0cbe691a57ed11d8bbeffacd6e8ef6e9b2f | 14 | 11 |
| New Service Creation Using PowerShell | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 7295161a311508a2b2b0c90fa652ea09872640a00c671f294d6a4780a85b83c2 | 14 | 3 |
| Office Macro File Creation From Suspicious Process | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8f4f518c1c5f1faa9ad744166d845016dc78c82b4c7f38011fa687462b1afa18 | 14 | 1 |
| Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b781bf9d3f406d9c4af525fd205bc5651cf5222b563981c53c4fbd9e36ad1407 | 14 | 8 |
| Response File Execution Via Odbcconf.EXE | Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 18ab8cf17024175e4f1d5ec237de24dcfb16890beb4847d0e90e79e0c59cfc85 | 14 | 4 |
| Security Software Discovery - MacOs | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 96f1ded9c8d78d6aecb533a9fdde682e09aa97bc94f4d21bd39577705c1d7547 | 14 | 4 |
| Sysprep on AppData Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 76d39c4238c645e864f006400ab59ebda393cfe12db20d6f7ec44eac3b27f6b3 | 14 | 1 |
| UtilityFunctions.ps1 Proxy Dll | frack113 | Sigma Integrated Rule Set (GitHub) | 49b5176aaffe3fdb7bacc0dff70b5ac48bf0872faf993e311c4f5530db76a160 | 14 | 11 |
| Add Windows Capability Via PowerShell Cmdlet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 684b246bdb157e11d1985c522a8f891d7dfea0ec8d30864c9e2fe04cc9564973 | 13 | 2 |
| Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 84d018445ff2f74f3d42483a4605f7bf5d16da359866d95b1be54371131e5836 | 13 | 11 |
| New DLL Registered Via Odbcconf.EXE | Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e5548908b8b99ebdd4de66bfaf33ddcef3df5c1a83d217f9809e9a2eeb0a8e1f | 13 | 5 |
| Potential CVE-2022-26809 Exploitation Attempt | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a212f91d8c2a0d339c91a9344ae02c2847e74c85458506b719d65b59e4e79069 | 13 | 0 |
| Potential Mftrace.EXE Abuse | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 70d88530c350b96b4e059f6e128a58c0cce646e61c82107835f0204bdb1192bb | 13 | 0 |
| Potential Persistence Via Scrobj.dll COM Hijacking | frack113 | Sigma Integrated Rule Set (GitHub) | 9d0ab0b7154dbe461f0e116296f545e8955e0c85892bcff2de2b680e29ba2af3 | 13 | 6 |
| PowerShell AMSI Bypass Pattern | @Kostastsale | Sigma Integrated Rule Set (GitHub) | a7940883a0164e9f8e04f1c88ad85ebf44ddd11d7a06aa93f7c42c3111a33d01 | 13 | 0 |
| Tycoon Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a1c44f103e75c8295cdbb587af4bac07f2b77445d54c17a424e7dce924a981ce | 13 | 7 |
| Windows Defender Firewall Has Been Reset To Its Default Configuration | frack113 | Sigma Integrated Rule Set (GitHub) | 00b96bc8d00802244409c54614fa31f98fe83547c5c43f4fd78e891c16f792e2 | 13 | 0 |
| Copy Passwd Or Shadow From TMP Path | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 8ded73daf32e44d8446fc45b91e962b9508d911e85c06d0481f7c4321eba41fd | 12 | 1 |
| DirLister Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 1f0dfd07d0caa1048bb3bb336c0d72bf884362c570c7a4bd683aa30e5f81ea19 | 12 | 2 |
| HackTool - CoercedPotato Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 665180f2daed28e41508871b665e63276343206dad8c8dbd86bd97bab857f5d2 | 12 | 0 |
| HackTool - KrbRelay Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 03e06bc61499c16b25ec22e9681f9e9633dc812e30ec543e7a5105ecbf3220f4 | 12 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 7943e73e12090a40bcc5a95e498a4655704cd76a8f1cc15acfef595e7f85a442 | 12 | 0 |
| Lsass Full Dump Request Via DumpType Registry Settings | @pbssubhash | Sigma Integrated Rule Set (GitHub) | a3907c9a6a9a7e855b8ae2313f70c84cb7ed140f7e46502006474974da28e14a | 12 | 2 |
| PUA - CleanWipe Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ede87d3abc8a99be3ca19ab4102e923f13e3f7b181cde6eddea9e6f1593b1e77 | 12 | 12 |
| Potential Fake Instance Of Hxtsr.EXE Executed | Sreeman | Sigma Integrated Rule Set (GitHub) | 8dd172636988b9cdc1bf44aaceb27f6009d97516c54decea0812022b61cd8d7a | 12 | 12 |
| Potential Meterpreter/CobaltStrike Activity | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | 22ddfce5e8a79e957f4dbdceb97e27d764b010d395a20fd45cf95a20d02b53e9 | 12 | 0 |
| Potential Persistence Attempt Via ErrorHandler.Cmd | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 118315680d9be2facc48920f16da11dcf001dcab58a40dfb2466c3118eaaa4b0 | 12 | 2 |
| Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE | Alejandro Houspanossian ('@lekz86') | Sigma Integrated Rule Set (GitHub) | a6643da2e3310cc36e0e016ed24d7b75aaab7d235acf5d3e46618b8f2c3d94b6 | 12 | 1 |
| Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 810120d4a8fae64091e6c4056b2ff78e02b530e2b6ecce817ed590937d637f16 | 12 | 2 |
| Renamed BrowserCore.EXE Execution | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d41dfd30129ef96d21bf50a0af9161636d21ec67ec25000786a06ba54a7cb7b7 | 12 | 0 |
| Scheduled Task Executing Payload from Registry | X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 746f7076c751ad73e28f35f1b0cf28741457217c7d9eeec546aae0616ccd5ffd | 12 | 0 |
| Allow RDP Remote Assistance Feature | frack113 | Sigma Integrated Rule Set (GitHub) | 166df8c1d3e7f7c5a9fbd54dfc633614e8f49352354a3f5d9fe7ea04de73be78 | 11 | 6 |
| Credential Dumping Tools Service Execution | Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 25727cb75bc931bc91e433f5340be32ccedd13bf460a2fd8da5b1a8d8b4a369b | 11 | 0 |
| Enabling COR Profiler Environment Variables | Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) | Sigma Integrated Rule Set (GitHub) | 54d006ecd6dae89f884b01b6fbaa0d8010a9ab60d59993aa4d10c45146c3b4ca | 11 | 6 |
| HackTool - PPID Spoofing SelectMyParent Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b73c8337d65bc8a945dd977fe40a0c1b9ef6b3e5b6fee0703621d9a088a9e48 | 11 | 1 |
| Hidden Powershell in Link File Pattern | frack113 | Sigma Integrated Rule Set (GitHub) | 9e321ddc9cddac65fd520665184681e53aedaf0652832edb168aa27ac04e59ca | 11 | 0 |
| Linux Recon Indicators | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 89dfaef258fef652c6b4ad4126f6bccece50ba696d0208cfc0aed440c1a9ab20 | 11 | 4 |
| Lolbin Defaultpack.exe Use As Proxy | frack113 | Sigma Integrated Rule Set (GitHub) | 33c04ff56fdad87a0289647b36de2841f4a6fa4866c8656a4005c9f9048ce732 | 11 | 9 |
| Malicious Driver Load By Name | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 906bfd56d8137360d8bf73ae2a77e12c06e9fcf42bbd522bb44ec062c598a74c | 11 | 0 |
| New User Created Via Net.EXE With Never Expire Option | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4fa8ae2d822b83429e6b1a89ab0c9e8f9a3e769aedaf64ec7147fb1339f9f2f5 | 11 | 2 |
| Old TLS1.0/TLS1.1 Protocol Version Enabled | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e7999f5a682142d347ffd96c83545986ff1386f44917a1a86cc4d39b4fa2b8c4 | 11 | 5 |
| Potential Chrome Frame Helper DLL Sideloading | Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) | Sigma Integrated Rule Set (GitHub) | 5b77fa52ebf2a5c351fd8dceea7d49b56575b2380b0a9487f4c0707000e2619f | 11 | 8 |
| Potential Data Exfiltration Activity Via CommandLine Tools | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 10f9b0f9e2b7be69811ff067e358984311772914e6957f50adf963207948fe4e | 11 | 1 |
| Potential LethalHTA Technique Execution | Markus Neis | Sigma Integrated Rule Set (GitHub) | c1db9b15fbf203a696f2047d6ce2c7c32283587487a72c4333b63b8005e6a37c | 11 | 0 |
| Potential Memory Dumping Activity Via LiveKD | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f0f9d14e111aa91965d2d0a99eb4d846dac08daabfd373803a6a7e4fa61fc4ba | 11 | 1 |
| Qealler Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c8b5691bd0f6cb0670869259285160320643f60ba111d9c93b81c6bc5e088037 | 11 | 6 |
| SQLite Firefox Profile Data DB Access | frack113 | Sigma Integrated Rule Set (GitHub) | aa3ad15f592c022521aa6e4bc687dc3c181cea9b9343b55e1b909bc937113348 | 11 | 0 |
| Suspicious Keyboard Layout Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1e8253d40fd15968a25971ec64e35f84f90536676b445d16184bde41a5fc6ba0 | 11 | 2 |
| Suspicious Reverse Shell Command Line | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8e3a8f0b4e0bf72703dfa7509e194c8bd77b591184bf65292cf9c554fe5d7149 | 11 | 4 |
| Suspicious Use of /dev/tcp | frack113 | Sigma Integrated Rule Set (GitHub) | acaf2d56329609a17ef157534fe784b3570d4c344a3eff25b493f541a2526056 | 11 | 4 |
| Cobalt Strike DNS Beaconing | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae9cf008e7075ab1e5658ff0f1449d564314bf06bb13fc381dda84df5e63e523 | 10 | 0 |
| File Download Via InstallUtil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 74bf8f7775d6752c01caa0e5567c487ed43033b01b06fd72118ddb922ba1fae7 | 10 | 0 |
| HackTool - SharpImpersonation Execution | Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 94b769b76d6dca121622b8559c3f5ed337893a1ee9dbbe67442d2f649a373b42 | 10 | 1 |
| Locked Workstation | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | b1f5ca9566ca9b549b32bfe57eee2e7ec1ae42a47aeba5cdf24c69c64e35dd5f | 10 | 4 |
| New Service Creation | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 0e01e0ac3c9d7b292996c00466851ff64ca8e3aabb384b096bddba88aa769464 | 10 | 0 |
| Potential DLL Sideloading Of Non-Existent DLLs From System Folders | Nasreddine Bencherchali (Nextron Systems), SBousseaden | Sigma Integrated Rule Set (GitHub) | a9e64c740dfa885688164e22b515ae2bbf72a98c9b78c4cc612d3789cd06b93d | 10 | 3 |
| Potential Persistence Via DLLPathOverride | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 19aedbf22a521287747df9d67d6f407fc9649a0c68f0cc7799c606dc1d952532 | 10 | 10 |
| Potential QBot Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0453733ce01d4d10623584c342bf2a905ff761f1fb7b0bfbadcb80e8d940c32b | 10 | 0 |
| Potential Snatch Ransomware Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d48381be3227e49cd9d42fdf472184d9e4db1b4fbe72ee6048739f0af5913e9f | 10 | 0 |
| PowerShell Base64 Encoded Reflective Assembly Load | Christian Burkard (Nextron Systems), pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c29bdf15b24c1c0a11c8652a68f53594b306a585e56099b3a1b22cfb438e5247 | 10 | 1 |
| Remote Access Tool - Simple Help Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f5bf8f63db9709b4fe83cff6a47977397b7d9b5122302643931941983a6f0d9a | 10 | 0 |
| Spora Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a656aafe4c0cca78f1ad9cc5fe8f97b01ab237e247591a7100edef559c032f30 | 10 | 0 |
| Suspicious Regsvr32 Execution From Remote Share | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0415bc3e4953b49601e59c9e77f268c8b8163cb32d777dc5a37b169f9fcbd8ca | 10 | 3 |
| SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code | frack113 | Sigma Integrated Rule Set (GitHub) | 37beaf97b85714dccecd452e684c29d067adea49095ddf3ec6631dc8acf14337 | 10 | 0 |
| Application Whitelisting Bypass via Dnx.exe | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | da46c4a25c9b1a9291dd79b4539957b5ab71a6f2d75da9a90cfe48f74048a9a9 | 9 | 0 |
| DNS Query Request To OneLaunch Update Service | Josh Nickels | Sigma Integrated Rule Set (GitHub) | 3141ca54d65e69f8e114e2bc754b4e0fdd364ecff79dddb87ef2f62ad895ec46 | 9 | 5 |
| Defrag Deactivation | Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 8428866bf6cbf8ea04c18dc9a8ebd493a8a882a9b706b557f71d376cd69fda79 | 9 | 6 |
| Explorer NOUACCHECK Flag | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 787401eca6027a528e035e6315ce80b537c4d3bd9944cfaad07ca911aa306675 | 9 | 2 |
| HackTool - Hashcat Password Cracker Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 9621c87be63b1ea5e038a8d2759bc0bbe6a5ee4f322b9763fdc06f159d781698 | 9 | 1 |
| HackTool - Jlaive In-Memory Assembly Execution | Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) | Sigma Integrated Rule Set (GitHub) | ef084ef7df4d6d338332a4adf3272c6d7b031a4529a2d7030ec19c2a0e0fe9fa | 9 | 0 |
| Malicious PE Execution by Microsoft Visual Studio Debugger | Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community | Sigma Integrated Rule Set (GitHub) | 833d1e3036176fa960339790e9389d39187ba0c444aa4b1f1d3adc81c860b9fd | 9 | 0 |
| Potential LSASS Process Dump Via Procdump | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a6a60c80601bd33b44e65b559f9e53c0b9237ab7f54ca97530065cd494662e3b | 9 | 1 |
| Potential Reconnaissance Activity Via GatherNetworkInfo.VBS | blueteamer8699 | Sigma Integrated Rule Set (GitHub) | 93d3c8484d953299cdaafb696acdb7e33fd8a569cd8682a0d501a122f2b8290b | 9 | 0 |
| Potentially Suspicious Child Process Of VsCode | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b2fdd02e6d67b114c93dcec1de1de2532845d73efb0b0201ca22e901501832f | 9 | 0 |
| PowerShell Script With File Hostname Resolving Capabilities | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 230d92ec3109cf1df60e1e9e3af5b45cd871c5458a607630ae6655e5d373e629 | 9 | 2 |
| Suspicious PowerShell Mailbox SMTP Forward Rule | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a9b0d95e9a34c915ab22d89c790c054977cd6411f4fdebffa6e36f09e5376c9c | 9 | 8 |
| Suspicious SYSVOL Domain Group Policy Access | Markus Neis, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | ff263a69e24c4173f3baabd03b59d71e2dd4679b248e9bf0851bd9852043117c | 9 | 9 |
| DNS Exfiltration and Tunneling Tools Execution | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | b5eeb195cf8da826ce09652556c789913808b5869a15ad6d6771d084721b65e0 | 8 | 0 |
| Findstr Launching .lnk File | Trent Liffick | Sigma Integrated Rule Set (GitHub) | 2db81575319b095e5240489dc39a6070fb3e587fb35a6c988f38cbc71fede886 | 8 | 1 |
| LSASS Process Reconnaissance Via Findstr.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e3175b1068c342ed7e05a42913dc8cb72ea0167a81bf24fc620261d4ec40f78d | 8 | 1 |
| PUA - Crassus Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 43a1d4f767ed0c719d573fd6ddfd62abcd7f8ebc365f97d7c2f83f9a7eeac91b | 8 | 0 |
| PUA - PingCastle Execution | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | fd0cd897f506978ff6667a20ae3279271012ea71e5721e9fc659e91605c9ceaa | 8 | 3 |
| Potential ACTINIUM Persistence Activity | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 58bd50bf4c2f3dee57aac7f6c2f5671bd781f59b9e71a8c191de01ef8cf53de0 | 8 | 0 |
| Potential AutoLogger Sessions Tampering | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 71000aa981db521aed45841e26a97e5761747be7e168201f1ea473ad3536fb85 | 8 | 0 |
| Potential Persistence Via PowerShell User Profile Using Add-Content | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9ed950c94ef5dce1af4ac6ba1eb25704edd170e1a75506e3095eb362e63eab6b | 8 | 6 |
| Potential PowerShell Downgrade Attack | Harish Segar (rule) | Sigma Integrated Rule Set (GitHub) | c2de0fe89604a2026e004a0872e75e079b8632fcc9ef341e34017c52fbb2eba5 | 8 | 2 |
| Potential Remote PowerShell Session Initiated | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | acad8e3e215caeb927f20d9296b9e48f54d909e55d58cb5b27bb4d334ab477a6 | 8 | 0 |
| Powershell Store File In Alternate Data Stream | frack113 | Sigma Integrated Rule Set (GitHub) | dabcdcdecebe87ed3085b193d3ed09029f3556672622b42d5759dc816f0b6173 | 8 | 4 |
| Renamed Cloudflared.EXE Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 873e85f733935e924e8f1fa74c1f9f11028b553ba91de13826d5333190210b11 | 8 | 6 |
| Scheduled Task/Job At | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | 4b0543e80b3bd16b1e6ea919e7bc4a108b206468266597c7a5147cd615f35fe3 | 8 | 6 |
| Suspicious Get-Variable.exe Creation | frack113 | Sigma Integrated Rule Set (GitHub) | d3f846e7661da10674d978e09815c9157764a57fc6651e2b2f8cb498cb4220b0 | 8 | 0 |
| Suspicious Git Clone - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b45fda745c28f956a8d08fcefc5abdf9259342cdae5876d32e23f0f97ff99d1e | 8 | 8 |
| Suspicious IO.FileStream | frack113 | Sigma Integrated Rule Set (GitHub) | 08e71eab529494c6cef4d7f699f5d95c87b1d954ee61b6f061d7005246b726af | 8 | 4 |
| Suspicious Process Patterns NTDS.DIT Exfil | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9c132dee2c953c2d2497b3e00b2cf2309bc1f44409b130f0e34af66f9edf8713 | 8 | 2 |
| Time Travel Debugging Utility Usage | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | afad13c67de2842888c6d4678ab0ab46d7369e91b6c7fb525482e91294e4ccad | 8 | 0 |
| Uncommon Child Process Of BgInfo.EXE | Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 3a9675abeacca74d231073efcc4c362ddc755278240288e69cd34b2f2052cffc | 8 | 0 |
| VsCode Powershell Profile Modification | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 59db8591e12ce774c3ed205213760eb2341a6314257edbd898e991ea42d98e80 | 8 | 7 |
| WMI Backdoor Exchange Transport Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b02fbc5fd12d501dbd78749545483c506550bfb474efa9683e58ac4b2e4211b0 | 8 | 8 |
| Zip A Folder With PowerShell For Staging In Temp - PowerShell | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 70e3421aca89a28b1d599aafae9fdd903822e32a691eb39731812bc02f3b9dcb | 8 | 0 |
| Blue Mockingbird - Registry | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 047c4b3f6b03d9a7cd611e4baaeffab7d6854460859ecf302466ae225ddaf2c7 | 7 | 0 |
| Connection Proxy | Ömer Günal | Sigma Integrated Rule Set (GitHub) | 70f387e708b9ab503041091a0b074a7d2aa84dea74f61b398fa6fc3f154dacaf | 7 | 7 |
| Enable Restricted Admin Mode To Bypass MFA (via sysmon) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 7b0a12d70498be6b75106baeadc6572fa8f03b6e6ce96998c3c84f14e5dd19a6 | 7 | 3 |
| Greenbug Espionage Group Indicators | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f29ccc5a8616c9c1119e794b857a0425268bf5ee86863b612092ec5e045863ed | 7 | 0 |
| HackTool - PCHunter Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 8046d8e3f3ef408857439eaf28938b362576b464ba00290a73789cfc2fb05d9d | 7 | 0 |
| HackTool - SharPersist Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0c69b8d2020a5d6c12bee42bba9e6d94b6b9045ea1920405133ee19546dbcab | 7 | 0 |
| Install Root Certificate | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | ec31a3e8dcd4d55b032d9d6697f403b4260762840a75ef84a25fec68f4d78fd6 | 7 | 6 |
| LOLBIN Execution From Abnormal Drive | Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman | Sigma Integrated Rule Set (GitHub) | 238344575bbb5eb706fb34305ba1e18c4f040fc25f6e6aede8cae2d0bcdc64fe | 7 | 1 |
| LSA PPL Protection Disabled Via Reg.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80855f8a9447aabc3c921b18396835e82ab35d2beb39b56f2d34d156ca2ac9ae | 7 | 4 |
| LSASS Memory Dump File Creation | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | b0e4aa7c882545a1b46a09c373f3abc99ee9ad92c5cb99e1b8764356501b3059 | 7 | 0 |
| Nibiru detection (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8bbea961d969188574b7fe958c971caadd38b955cc77f21093d7d5d266e4d697 | 7 | 0 |
| PUA - CsExec Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b2300d5d918bfa55070c1a6c9eef5422d85306572df402f76d8549d97778851a | 7 | 2 |
| Perl Inline Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d7702078dd10096eb5abed05e061a8a1faec0e7904a86b6b39f6faaaa294190c | 7 | 5 |
| Ping Hex IP | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a78012a975b5cccbdd9caf22ce8a5065aa442b2459190ab2a3a0b39e1eb66bee | 7 | 0 |
| Possible Process Hollowing Image Loading | Markus Neis | Sigma Integrated Rule Set (GitHub) | fcf7620e2328b946e9b3d0f404695a61a8943ec4865dcb48e4be1d1094ac3196 | 7 | 2 |
| Potential CCleanerReactivator.DLL Sideloading | X__Junior | Sigma Integrated Rule Set (GitHub) | a8fd4a570107258e03b26b713f8828ce9b12422ae791b631ae9f0d43db3d7c05 | 7 | 7 |
| Potential CobaltStrike Service Installations - Registry | Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | eaeadfa6378455d35bc7d294a678cf68a5a8c6c2b5417d038a80d96bdf2e76de | 7 | 0 |
| Potential Emotet Rundll32 Execution | FPT.EagleEye | Sigma Integrated Rule Set (GitHub) | 4e5ef297fadbdf1fbd3c57b71841275af9687495d2f45e59fcbabdba98315434 | 7 | 2 |
| Potentially Suspicious File Download From ZIP TLD | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 03db66b3c4d5474f5f84d9a053f19cfcdcf35d396fad150f9e8cef0ca6218550 | 7 | 7 |
| Potentially Suspicious Windows App Activity | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8402e63c9283e770df7e32f8492615ebfdafa4151c457b3333e29ee11564c4b5 | 7 | 5 |
| Potentially Suspicious Wuauclt Network Connection | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 797b0bc9c2136612087c0b95b2f7917f60d1429162e72a7207861e247618dae3 | 7 | 0 |
| Query to Ammyy Remote Access Software Domain | frack113 | Sigma Integrated Rule Set (GitHub) | 5d5ea99f7c040a6706db9d67e16b384eebe02132d410d1f9edc4131c8045469f | 7 | 0 |
| Renamed NirCmd.EXE Execution | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1240085183732053f634278b3248292410a8e5db2568b88f00d683a99c69995d | 7 | 0 |
| Renamed PAExec Execution | Florian Roth (Nextron Systems), Jason Lynch | Sigma Integrated Rule Set (GitHub) | 58a87adff5b80f1f00537e13c96a7a3ca3c24b661fb3d6f998ed9a120ad72ccf | 7 | 1 |
| Root Certificate Installed | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 80e21a1883c10ba77d6f4a1b0b6903e9ba65d57e1874d2cd81b121f762481c64 | 7 | 0 |
| Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 413ab718402521225cd65e7866d07b849a38758c52a3bf913da2fcc4bce26ab3 | 7 | 6 |
| Third Party Software DLL Sideloading | Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) | Sigma Integrated Rule Set (GitHub) | c928de859419e27752e8b2fccceed03920e3be606bd678e119c3d5fe8ee94a9a | 7 | 1 |
| Typical HiveNightmare SAM File Export | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f89983755305fab46f3677edade72743effd233979db77ffa6c51a9d1fb4a18c | 7 | 0 |
| Audio Capture via PowerShell | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | db002a5ffd8be8305184d197dda045b272ab439c9fc205a6ce985e3eb911df70 | 6 | 3 |
| Bypass UAC via WSReset.exe | E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth | Sigma Integrated Rule Set (GitHub) | ced1e1a1282b5d51ede1ac7a7dcc08496c538aeeb8bc6ecc1f72af56cd773d04 | 6 | 0 |
| Detection of PowerShell Execution via Sqlps.exe | Agro (@agro_sev) oscd.community | Sigma Integrated Rule Set (GitHub) | 541caef712c71465ca223d69670a2ef4826f41323f21f161bc699c23ba201602 | 6 | 3 |
| DirectorySearcher Powershell Exploitation | frack113 | Sigma Integrated Rule Set (GitHub) | 59fea38f0030f37a8b1bcefb7450d7a94ba474f5e72db8b8f7a4850d643ad2e3 | 6 | 3 |
| Drop Binaries Into Spool Drivers Color Folder | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2ef7bdcb98df6e413074966907c161b915f676e3f947a452e418049eeed22b75 | 6 | 0 |
| Execution in Webserver Root Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d11dfd4a7ffb536505adf98a4b97c1540b6e89a26661bf9f238b4a4d8f3133a9 | 6 | 2 |
| Get2 Downloader | Joe Security | Joe Security Rule Set (GitHub) | 959a4fa9a66799f33b7f7ea4c82ec1869a3031768b47d0a7be1221b66ee355bd | 6 | 0 |
| HackTool - PurpleSharp Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8cdb5f2da7eb9e3002ce4bbdd8a373b7dcd25103b4373f9b672e54f74c5316e0 | 6 | 0 |
| HackTool - SysmonEOP Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6fbc0321364b37bef63538725c9c7e8e9c0702db310e3060a5da9d201d72a796 | 6 | 0 |
| Macro Enabled In A Potentially Suspicious Document | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7210b6208abd6826bfdb8d8666ae792549157fe8070e355cad577fd8f9ef6499 | 6 | 0 |
| Mshta Spawning Windows Shell | Florian Roth | Sigma Integrated Rule Set (GitHub) | 464455b93d1b76acf868754cca0e609af558267671ad641714ca27a923efb9ba | 6 | 0 |
| New BgInfo.EXE Custom DB Path Registry Configuration | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2290f63e826d0001c4fa42b39ec48d3a1e3aedc34b3635748ac20257cccc3bde | 6 | 3 |
| PUA - Potential PE Metadata Tamper Using Rcedit | Micah Babinski | Sigma Integrated Rule Set (GitHub) | 8eb59cf451fc1b4a57d9996082ad83751d5fe59d20e9b3562534ccf7fa0a07ab | 6 | 0 |
| Potential Network Sniffing Activity Using Network Tools | Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e0fec53c12094131d1b4e307c8e9dcea040e6d3cbb6b5eff0144c5a71473253d | 6 | 3 |
| Potential Tampering With Security Products Via WMIC | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | deb3cdf84cc34aa311e6bb923cb0b259584940b4e6d724a32706971b5147607f | 6 | 1 |
| PowerShell Console History Logs Deleted | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c46b249f0117bfe33cadfcaf2c8bdae7fac2bdb7d0cd559e546090de4fe930f0 | 6 | 0 |
| ProLock Ransomware Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6f434a5ccf3c234c99a17756d76f7690d09d6c565f238cb77186e687baae2278 | 6 | 0 |
| Registry Persistence via Explorer Run Key | Florian Roth (Nextron Systems), oscd.community | Sigma Integrated Rule Set (GitHub) | 1e3577ce99797b69eb40df7b9839ea82c3529cc36c44fdf5f4966c1966c44799 | 6 | 0 |
| Remote Access Tool - ScreenConnect Server Web Shell Execution | Jason Rathbun (Blackpoint Cyber) | Sigma Integrated Rule Set (GitHub) | daae21f683167b21c52b2d5cf76621dcdb8d8f60b79337e74692181948d4cee5 | 6 | 1 |
| Remote Thread Creation Via PowerShell In Uncommon Target | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6b512a36600d72d464945b37dc5edcb606a3e429979c7f50e117d9a428ebaeb | 6 | 0 |
| Renamed PingCastle Binary Execution | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | eae130a350341508858739da2c40e1c506012a525ad9d8b3b5d36b422f8b929e | 6 | 2 |
| Replace Desktop Wallpaper by Powershell | frack113 | Sigma Integrated Rule Set (GitHub) | 0f1aa746beaad206dc77bb8542a498967f1fb26e0677a3fdf90cfd5cf5c22a75 | 6 | 2 |
| Suspicious Cabinet File Execution Via Msdt.EXE | Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 | Sigma Integrated Rule Set (GitHub) | 4c0f8984146566700f953eb45fc4781e3347270de34abc6768ebafe2403c457b | 6 | 2 |
| Suspicious Package Installed - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 88da3a6d05ee5ef259c6d116e0929c1d37d2af45f89850ee23e504ea0c83de04 | 6 | 5 |
| Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a8a088c8f88e78c7cc5ac33b30194b8a3087f2088063a607ae95d5f4ea54e273 | 6 | 1 |
| Use Get-NetTCPConnection | frack113 | Sigma Integrated Rule Set (GitHub) | 84f3662b966321c45129926b0bf88e5845313e0cd9f0b7ec89f79f37c2fbeaef | 6 | 1 |
| Certificate Exported Via Certutil.EXE | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 979cbccf990be909d4f159a82102389c4c0c7f925d721346e5eeb3ec66af615b | 5 | 1 |
| Change the Fax Dll | frack113 | Sigma Integrated Rule Set (GitHub) | 1cd0c62ae8a59243c600f2ecbb1c6b3e7b207c19dfdbc91defb8557cdfecef34 | 5 | 2 |
| Custom Class Execution via Xwizard | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | c0bd5b42809f6cdda07709c25bc0f42cbb0a674ce80ec8c63788ef1efd31cdc5 | 5 | 1 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 01357d5e887b9f5de970cbdf4e5303b1faff6ff0de49e5ae4c516f933c8a951b | 5 | 2 |
| Execute Scriptlet Via Regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 568224310775bb02fb9ae53d55d8f7c8bc1daf93e73db7670b15f8b6f421f00d | 5 | 0 |
| HackTool - SharpMove Tool Execution | Luca Di Bartolomeo (CrimpSec) | Sigma Integrated Rule Set (GitHub) | 52709f1d022c43ed380f17238c6ef21a8c776d68962ee8bb294257a122e3f27c | 5 | 0 |
| HackTool - Sliver C2 Implant Activity Pattern | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 37af4676baf9c863ccb2ca099ad1368020d8f1969b80a3e8a21065525136ff56 | 5 | 0 |
| Invoke-Obfuscation STDIN+ Launcher - Powershell | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 8bc4688c4e1827de8ac2769dd693f5ee1d6a3dd731e0fa459a1d47788bc3ab77 | 5 | 0 |
| Lolbin Runexehelper Use As Proxy | frack113 | Sigma Integrated Rule Set (GitHub) | 0335799533ff0b89a5009e68973be7f6433ddf66282123e1845a58a8e8ec7b87 | 5 | 0 |
| MSExchange Transport Agent Installation | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7e012de38821878c4217e8f825643266daebb69300fb51da895c540db3ca6916 | 5 | 4 |
| NotPetya Ransomware Activity | Florian Roth (Nextron Systems), Tom Ueltschi | Sigma Integrated Rule Set (GitHub) | 641862d7e2c86cdcc7b53162395c508471d30b1911e0be65fb335d6208a110b3 | 5 | 1 |
| PUA - Sysinternal Tool Execution - Registry | Markus Neis | Sigma Integrated Rule Set (GitHub) | 35df1aeee1f1078e25bb64a8af513db99a7df8736e4847041fddacedf6b747c9 | 5 | 0 |
| Potential Discovery Activity Using Find - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d11f1faaade0dee2c5c9802c5ca3156a6b215ab8469e61f9b18a1632d913c1b5 | 5 | 3 |
| Potential Discovery Activity Using Find - MacOS | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5d89a75781e7f83d35cd5bbf56e6ff75e28edd5893d5b4e2b423fcb909152679 | 5 | 3 |
| Potential Netcat Reverse Shell Execution | @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 48eb2cf6fbed9e5a8ecd06131da8406600394a1db3ad8823802706b906a09f7f | 5 | 3 |
| Potential Persistence Via TypedPaths | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ecac746e53261713779b4a2d6976c0747dd23e09ae800760119a4aa26f4ee527 | 5 | 0 |
| Potential Rcdll.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5ff2611b9e4afd1b48de5dbd0767a94154d20da0dcd882c34d36627964c17e70 | 5 | 1 |
| Potential Register_App.Vbs LOLScript Abuse | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | cff1e1978dab401a82f456bac2436b263ce457f5ad9e3283c8d77f7ab885b87a | 5 | 5 |
| Powershell download file from base64 url | Joe Security | Joe Security Rule Set (GitHub) | 197268256285c42b2e838f027388654e2a212ce987a525c6d95784c7abb2d786 | 5 | 0 |
| QuarksPwDump Dump File | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4517db7f1f005bd0a18fc8081dbef15a21dede187d618c62699e3b1d8668580b | 5 | 0 |
| RDP Login from Localhost | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 3895d9722610797e2eb09dca91e1a804bb4eec6cc1ca5b81a937f13e4adc81f6 | 5 | 0 |
| RemCom Service File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aaf9c0f6fae3f23d344e3886423f727248cb280156f92be90557e288adfb51d9 | 5 | 0 |
| Sensitive File Access Via Volume Shadow Copy Backup | Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2904a54d46badb30ae1eda5e935bcbcc71f8a08303a31fb68bf9e1fb8f0f0858 | 5 | 2 |
| Split A File Into Pieces | Igor Fits, Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 712e9f7f7214c248ff6777f914a1cf282ba49bc580bbbe4bb40a38cfacec7927 | 5 | 4 |
| Suspicious Non-Browser Network Communication With Reddit API | Gavin Knapp | Sigma Integrated Rule Set (GitHub) | fb3b178eb2ccfc3d8efba6b381a3e6aa0dd226e4216ac1d696066c8cb6be3594 | 5 | 4 |
| Suspicious Registry Modification From ADS Via Regini.EXE | Eli Salem, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | 7d40150efe45672b8a7928c4d3ccb55e1238e89ead72dc4a08390a907fc57c17 | 5 | 0 |
| Suspicious Wordpad Outbound Connections | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5fdc0db01908f4a29aeb14a39db1c793260932e8fb9aa97303e48ec06d68ec24 | 5 | 0 |
| SyncAppvPublishingServer Execution to Bypass Powershell Restriction | Ensar Şamil, @sblmsrsn, OSCD Community | Sigma Integrated Rule Set (GitHub) | 8326a878ec5c1017e74941a7f45b60cfacf514ecaf4c2f5a787bfbecdc6bdf84 | 5 | 4 |
| Touch Suspicious Service File | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 4c152035fe4a156a8598afe425e00c7fa018704640cedc3fc083405840db2324 | 5 | 2 |
| Unusual File Download From File Sharing Websites | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f57e9a5165fe649d867e207c503dd53a05dbd5175c68be9a369174832afc8614 | 5 | 5 |
| Usage Of Malicious POORTRY Signed Driver | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6bbc36542c77f8d058bdc271a081010f06acd3d3b84465a3ab065bc5723eb46 | 5 | 0 |
| APT 37 | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c53c2f741a37b554e1a5a16737f3c6f27a5818e8474ade69f599e8d18b6df51a | 4 | 0 |
| Cloudflared Quick Tunnel Execution | Sajid Nawaz Khan | Sigma Integrated Rule Set (GitHub) | 202614b23ae8dbee79f1e984787e29f1b16b9952b40ce6cc71429a32fa9cacf6 | 4 | 4 |
| Copy From VolumeShadowCopy Via Cmd.EXE | Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afa46c9c99b3c76a0450a8c7dface8fa7a53dda1c62644f81fd73ced0a0d096f | 4 | 1 |
| Disable Powershell Command History | Ali Alwashali | Sigma Integrated Rule Set (GitHub) | 9bad9ab33b286bb06b80490c60a3b9a1136560cf838d47ba48b3384b762267e6 | 4 | 2 |
| GAC DLL Loaded Via Office Applications | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | 10c0778367f03c51cf9136815b90c0d7a820fa857a135c645c55014481fd1395 | 4 | 0 |
| Group Has Been Deleted Via Groupdel | Tuan Le (NCSGroup) | Sigma Integrated Rule Set (GitHub) | 985e3f8e0a9e16b289aeb9790dca44cc4fba4b0bc7ea20ad82dec4aee0ffb216 | 4 | 4 |
| HackTool - EDRSilencer Execution | @gott_cyber | Sigma Integrated Rule Set (GitHub) | 79d4d5d30b70f2ddc17cda1ca9f2f714a7e883df62fcb6b55b6d426dee3a450d | 4 | 0 |
| HackTool - Quarks PwDump Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83fcbb048fc301513c7de88d6b54f969a6cbb28bee2de22baf8a56ee7c454e81 | 4 | 0 |
| HackTool - WinPwn Execution | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 75a67459e117421972b0c39ee9d1c2780a77f3110cc7fdffde53730cdaa7bab4 | 4 | 0 |
| HackTool - WinPwn Execution - ScriptBlock | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 608e6316d5e2bab30263ce4e9c051683feba8e73b13892340fdc8f3e39513ad3 | 4 | 0 |
| IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols | Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) | Sigma Integrated Rule Set (GitHub) | 4c210a3b529cf299f6fa37ab319ba3210295416f01a975321a00c8d6e61fe960 | 4 | 0 |
| Indirect Command Execution From Script File Via Bash.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 11020bcf53b965fedad4d6de4a0a624f9821c338f483405ea18ded010a551c50 | 4 | 3 |
| Jacksbot (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | eed56e9a26e865b9accdc5a4ef7e681ca4b83deb2c6f21a65d28cac9e28547f1 | 4 | 0 |
| Mimikatz Kirbi File Creation | Florian Roth (Nextron Systems), David ANDRE | Sigma Integrated Rule Set (GitHub) | 95885fc26cc231b01a2aec40f7e62fdfbb58e544c344b8698f80b7d9a67488df | 4 | 1 |
| NPPSpy Hacktool Usage | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fe93afc27b2b53b9e4deb1b29d0172ddf97ab492beba618fda8529d8eb602bed | 4 | 0 |
| Netcat The Powershell Version - PowerShell Module | frack113 | Sigma Integrated Rule Set (GitHub) | 53b2cd18791dffbcc1b31b49b26f0068d68f366bccb84e299cb79ddcccaf04ee | 4 | 0 |
| New Hidden Tear ransomware variant | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 92dd4e3ca17ea4f0bdfb71304a8fcbbd234749a15c0c26579fac17253c4b2463 | 4 | 0 |
| Operator Bloopers Cobalt Strike Modules | _pete_0, TheDFIRReport | Sigma Integrated Rule Set (GitHub) | e730bec5d212d6a2c262a97a77cb0b3bf1ba182161a6648b1a4cf4936fede01f | 4 | 1 |
| Permission Misconfiguration Reconnaissance Via Findstr.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c26472b8ef978b2519ce5cb30b5d30baa08b0717a6302fcbfc81a2c8ebde884b | 4 | 0 |
| Possible Applocker Bypass | juju4 | Sigma Integrated Rule Set (GitHub) | b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5 | 4 | 0 |
| Potential Credential Dumping Attempt Using New NetworkProvider - CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4777339ddbbc4185feac4c036855d36de485c1178bdd82acf02e02b9b3792f27 | 4 | 2 |
| Potential Credential Dumping Attempt Via PowerShell Remote Thread | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | ed3831d20478d9b3e7a4bada4351902574fc0eb36fbfd51032119c477b94e4fc | 4 | 0 |
| Potential Exploitation Attempt From Office Application | Christian Burkard (Nextron Systems), @SBousseaden (idea) | Sigma Integrated Rule Set (GitHub) | 5b693c1a0e1c87bcc7e8b870deef8f3f2c0aa4be921233e7ff5379f3b1f85dfd | 4 | 0 |
| Potential Persistence Via Netsh Helper DLL - Registry | Anish Bogati | Sigma Integrated Rule Set (GitHub) | 4b4cd16c122f46fa70660a3d40c309ad3aa316bb78e9d0c38261a9e876f12932 | 4 | 1 |
| Potential Persistence Via Shim Database In Uncommon Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4ab73e958ae7c677f546adaf223074983fa1112cf7085c97a5dc943e6698e822 | 4 | 0 |
| Potential Registry Persistence Attempt Via DbgManagedDebugger | frack113 | Sigma Integrated Rule Set (GitHub) | 0764cda98bb00fbde3294e28d5bb3b95797a31d8931448c764caa0743451358f | 4 | 4 |
| Potential Signing Bypass Via Windows Developer Features | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 986893b548623816b5ae487b1583f58f990d71c70832d8464ad658f66e9da4b9 | 4 | 3 |
| PowerShell Core DLL Loaded Via Office Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 246dcaa188fd410c547358799f25f6bc9452279b6460d09f2655d188926848ea | 4 | 0 |
| Recon Information for Export with Command Prompt | frack113 | Sigma Integrated Rule Set (GitHub) | e49a78894a2986a5fb30eb4ab25cd648d87db2a35906c29afc8fa6d7664f5e63 | 4 | 1 |
| RestrictedAdminMode Registry Value Tampering | frack113 | Sigma Integrated Rule Set (GitHub) | e448d82f06478af407e6d655ffbea46e7a876deeda7f5ab28f9de6183e6708a4 | 4 | 0 |
| Run from a Zip File | frack113 | Sigma Integrated Rule Set (GitHub) | 5cf936f9d2feaada449504fe406fc44b2ee6f674a4433863662f135096618431 | 4 | 2 |
| Running Chrome VPN Extensions via the Registry 2 VPN Extension | frack113 | Sigma Integrated Rule Set (GitHub) | 09e6a0408f2c734eee75232ab5bc1dd09b1be6e414b3e10b4d2f9efdd69c2311 | 4 | 3 |
| STRRAT Behavior (Sysmon Detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 37be2d5ff063bab1272d9db26a35c83920a7ad21e155ae6c12c1730446b5194d | 4 | 0 |
| Scheduled Task Created - Registry | Center for Threat Informed Defense (CTID) Summiting the Pyramid Team | Sigma Integrated Rule Set (GitHub) | a586d9331b4964f9cac6b848f49a3c0ebfd82bb006193f6220dc52c27f525623 | 4 | 0 |
| Security Software Discovery Via Powershell Script | frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f02d9a0f1e4d862f9d1b1d10a2f43de36d855212d5a70b671a8493d53a1b1722 | 4 | 0 |
| Sodinokibi | Joe Security | Joe Security Rule Set (GitHub) | c2ebed9de5119e2fc16078d56ef8c2d3fc9637ba785aa7893fe5cd6a3e1a3ccd | 4 | 0 |
| Suspicious Certreq Command to Download | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 90480b0d96dd273a177b536ad0b17f114b0426bdb4c6e04d4692da954658bac1 | 4 | 0 |
| Suspicious Reg Add BitLocker | frack113 | Sigma Integrated Rule Set (GitHub) | 1e5c4651907cea569ba4493fc4d9c634d654da730dcdfa36412180bfb694dba9 | 4 | 2 |
| Suspicious Scheduled Task Write to System32 Tasks | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3da113395881b8606ab35684394038c9c59eb8dae1b899ed92a2c40df104f5aa | 4 | 0 |
| Sysmon Configuration Modification | frack113 | Sigma Integrated Rule Set (GitHub) | abdfcf563f91cb4c9b132baa9fd47b92a1e20294c09c02d7571f6fe5505f21d7 | 4 | 1 |
| TAIDOOR - Chinese RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e3cdbb4de2c006685f06e358196d7f41ab1098005328b93d9834acae72ddaef0 | 4 | 0 |
| UAC Bypass Using ChangePK and SLUI | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a334f66679d3e373f49f08113614e79457c624e8ef315085de12c285bc5d7d4e | 4 | 3 |
| Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 213f3b50d46266ee33bedcd7b9691e39509b532ecaac33a9bd6bc6b9ebfdbc12 | 4 | 2 |
| WhoAmI as Parameter | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 31e555cd1c55ce445dfd8bd7c10843187298b45b39b33ddf41b5bce83e212c86 | 4 | 1 |
| Wmic Launch regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 4bd4adb7096f2875c9d4780cebd4f8cc5d8f98ae072aa38aea08cb38ea623042 | 4 | 0 |
| Adwind RAT / JRAT | Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 211f7156257e48d853aa431ddfc3fc7b86ca8dabc95f61553575d821ab58fd76 | 3 | 0 |
| Arbitrary File Download Via IMEWDBLD.EXE | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 43e02140c577391f4f448dee2a5252a421485f65e30fb1a8c5100dedc59e6111 | 3 | 0 |
| Check privilege of CMD via whoami | Joe Security | Joe Security Rule Set (GitHub) | 07a05a43e0384cce9c41d6cb6ed256ebce6aea8c6455db044d755ece6063babe | 3 | 0 |
| Conhost.exe CommandLine Path Traversal | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae01473f6fb2564e81d4c6e62699b0c4458725e8a9aa178c9ac3841d5af3b1fa | 3 | 0 |
| Disable Microsoft Office Security Features | frack113 | Sigma Integrated Rule Set (GitHub) | db422d3f89e405109467a926cbee52085ff1a33cf97bc054529a03a316dafa2e | 3 | 0 |
| Disabled IE Security Features | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dd832d1e805b850c68be7f120da6482e6126a8ee0860e3355d54604a2040eee7 | 3 | 0 |
| Drops a DLL with WLL extension to the startup | Joe Security | Joe Security Rule Set (GitHub) | 0a0b097696bd0b36b7d1443e446cbff6c2146d7a93cacaf2838ed0fe366b61d9 | 3 | 0 |
| DumpMinitool Execution | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dd9440afb1ca0cf7997134c36af074fb136e90414cfd1d56903ab43e8c52b253 | 3 | 3 |
| Equation Group DLL_U Export Function Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a6d1a36dcfe72a6d78f5dd3b78c79bc294296460a9b3adcd993bdd6409046c7f | 3 | 0 |
| Esentutl Gather Credentials | sam0x90 | Sigma Integrated Rule Set (GitHub) | 477a3302165776826dc440702e8eaed12303d2f1dc7a0fc02eb400d3f82f2e6b | 3 | 0 |
| Evrial Stealer (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9d5974817e9c9eeb05c8b60f23de31930c84cb3eb8d247767b7fe7bdbec4ad23 | 3 | 2 |
| Execute MSDT.EXE Using Diagcab File | GossiTheDog (rule), frack113 (sigma version) | Sigma Integrated Rule Set (GitHub) | c4a1cabbd4c25e14be0bd98c5770d2e94ad2885f8f505bddcd03978cf4ba0905 | 3 | 1 |
| External Remote SMB Logon from Public IP | Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) | Sigma Integrated Rule Set (GitHub) | 676272e187514be2245c3e99449f737c2a5ccd25c5cc68d52d965c7638c25fdf | 3 | 0 |
| HackTool - CACTUSTORCH Remote Thread Creation | @SBousseaden (detection), Thomas Patzke (rule) | Sigma Integrated Rule Set (GitHub) | 7b0f6b7c0939954a4e8dd01dcda83d20044a57808d265a6697c3580fde333062 | 3 | 1 |
| HackTool - Stracciatella Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 91b5e23483ca6c8edbfa31c7fb6978213e819e3f968f35d109a7fb75c36c3deb | 3 | 0 |
| HackTool - TruffleSnout Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 2f2b803c7e154a72c734f5b9d5c3d332b3174757ed624c55dad5a52ad36934f8 | 3 | 0 |
| Imports Registry Key From an ADS | Oddvar Moe, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | 004a32a3ac811e09e68ff3749364d27bd3064f5a8e6e2869b7b47cc6667b939e | 3 | 1 |
| Interesting Service Enumeration Via Sc.EXE | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 96388ced606f7e338e6e4e6b4016082f23db8c47bc9c0479bce4b46713bf52f5 | 3 | 0 |
| Invoke-Obfuscation Via Use Clip | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | cf3869e5aa623f0e8acc74d1afaf5036cb7bbbcb1418a1af1670aef332fd2115 | 3 | 0 |
| Invoke-Obfuscation Via Use Clip - Powershell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 1c3ea7c0333da16496964e50a5e57012a3b70695f952212351e08d08530da6d0 | 3 | 0 |
| Malicious ShellIntel PowerShell Commandlets | Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fd4e3cdd5f9ec511509a9b456f37f38c1e40597b044a8b780d338b09445fcf05 | 3 | 1 |
| Microsoft Excel Add-In Loaded From Uncommon Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4076e4f038a7d6f293f6e47f60dcd57e4300eed4dc9d024dee3f73d33c6cdad0 | 3 | 2 |
| Msxsl.EXE Execution | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | ae7b576a3a4975bf50b43165f4c1f319c45da44af1dfb0c8ee9476258ac726d2 | 3 | 2 |
| Network Connection Initiated By AddinUtil.EXE | Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) | Sigma Integrated Rule Set (GitHub) | b611a24b790a31aad876c02e032c02d5d2c1262d42e4b6dc4d773287467d66f4 | 3 | 0 |
| Network Connection Initiated By IMEWDBLD.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 785fda7f769e06444f3d969a9e64bac3cb1625df98e533dffbb90df45425e748 | 3 | 0 |
| New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application | frack113 | Sigma Integrated Rule Set (GitHub) | d7bf9b098435065f098535225724119d1065101149d54b78b79c5eb2ac3ee9ea | 3 | 1 |
| New Network Trace Capture Started Via Netsh.EXE | Kutepov Anton, oscd.community | Sigma Integrated Rule Set (GitHub) | ed43493e84bcb41bf4a6e8d03279fa79baffdfa16300655622641d8b9754d344 | 3 | 0 |
| New Virtual Smart Card Created Via TpmVscMgr.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a9f01b952a8701fd70653525eead398a200949fadad6dbd431a57585a2779e52 | 3 | 3 |
| Nslookup PwSh Download Cradle | Zach Mathis (@yamatosecurity) | Sigma Integrated Rule Set (GitHub) | 6abd8206d99c8274a0842b1790664265abba050503b2bbafabfd33fd68b91cf0 | 3 | 1 |
| OceanLotus Registry Activity | megan201296, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 5a41f82caece4fe65bbe71be9148baa62a842cabce69fc96f25fcdbf97f8008d | 3 | 0 |
| Php Inline Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | beb929216e4b57c3b1275c3d5d5bf04fed77445512365bc0d3af736280b5b382 | 3 | 0 |
| Potential Active Directory Enumeration Using AD Module - PsScript | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | e5d9812b15bcfd11818558302edf1cd1fdc52ea1a6ad66b17bb07eca4d7d8545 | 3 | 1 |
| Potential Base64 Decoded From Images | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | d17f74bd10224f28ca8ad151cb9cd1c5e19ae38f0575362101e7e3c2f0fb6414 | 3 | 0 |
| Potential Commandline Obfuscation Using Escape Characters | juju4 | Sigma Integrated Rule Set (GitHub) | 4ead40e4f0adc5e486cc7911fc0b0b94f05bfe0d27b5f0c2d24e0c803d089fc5 | 3 | 1 |
| Potential GobRAT File Discovery Via Grep | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | f2b7e99557cee988b524bd2d2f8d377bafac5c0d25546caf506df8734c2578ce | 3 | 1 |
| Potential Persistence Via Security Descriptors - ScriptBlock | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1f7de9310570e85851b78387f389d4afad2aec4f21a751de564e4d9dbe8ef806 | 3 | 0 |
| Potential Waveedit.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4c4ec335e3d6497145157f5feab27885dc6a95ae032af1e936e14e6ec130afc5 | 3 | 0 |
| Potentially Suspicious Electron Application CommandLine | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef3162002154dc7e276e27ac75c84e2115776de86e92e17515db41702b0254c2 | 3 | 2 |
| Potentially Suspicious ODBC Driver Registered | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f7ec5b0533fdece79792bce469c843b6efc7bd40fd54811a5b3ba106ba6b29b2 | 3 | 0 |
| Powershell Exchange Snapin (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 1920836da8784b3f635f88d7c9216b6619a5f5613a5d53fefb342c817897a736 | 3 | 0 |
| Python Spawning Pretty TTY on Windows | Nextron Systems | Sigma Integrated Rule Set (GitHub) | eb6deecc46500c9d451a514915fe89928aa77232bbaff37b89ff9964febc2f7e | 3 | 1 |
| Qakbot Rundll32 Exports Execution | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 312c58213f5112dced4d90fdbd5b3f6024663cf7b4c85b209ddcc69bc0a84857 | 3 | 0 |
| Registry-Free Process Scope COR_PROFILER | frack113 | Sigma Integrated Rule Set (GitHub) | f566e9fbc25004f90a7c502406100ff744d00b85ad929d568a47872238e1af75 | 3 | 3 |
| Regsvr32 Network Activity | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | a9fd3d8b393121d910bdb6416807881b8e231fde412098c46594fc45821d23ce | 3 | 1 |
| Regsvr32 Network Activity | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | e7df5abed193d7732536dcfeb0d58fbdfd844ab7c3ddd6186f9afa9ced7a6f61 | 3 | 1 |
| Renamed MegaSync Execution | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 5ed404c9cabd248ba80d6d5852fc81ff9c668726a632eb06be9595bd5b80d869 | 3 | 2 |
| RottenPotato Like Attack Pattern | @SBousseaden, Florian Roth | Sigma Integrated Rule Set (GitHub) | 5389e8a683229a6fb7e29cc17dff4e0811d8239798f60128c6f63871d4bececd | 3 | 0 |
| Schedule script as task | Joe Security | Joe Security Rule Set (GitHub) | 80a5b002421fe7261fe436fe34fde2f1e2a0b5b1d5fb7fee3b2afe02f76952ba | 3 | 0 |
| Screen Capture - macOS | remotephone, oscd.community | Sigma Integrated Rule Set (GitHub) | f4a2d13a06a29fbf2313f88753ab9955589a7aef45cfb0faea108c5bfac59ab3 | 3 | 3 |
| Security Software Discovery - Linux | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 62a85e4a565b5b8609540a8aab58fbf730dd8330b219cb92da87bb5be582ebeb | 3 | 3 |
| Sideloading Link.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d12dc80661a49ab922f3ed3b488e8a49f6edf53b777c918dc2f0b905b20d9bbb | 3 | 2 |
| Suspicious Child Process Of BgInfo.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f927c3875e2266d2070993dea88e92da092e42fd5716dc5c8254d686fa0222a6 | 3 | 0 |
| Suspicious Extrac32 Alternate Data Stream Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 908072bc38c223e94e034ac7acafdfda27359b429525af331f388a7ef0e2b66c | 3 | 2 |
| Suspicious File Download From File Sharing Domain Via Wget.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2259e9f8814e4d6d8101a51d8c30fdf9734d413e0d7da0a3a122e607e3f1ebde | 3 | 0 |
| Suspicious Plink Port Forwarding | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fd6a0f7521cf3dabf0d2ac45a1aed9f2e2029daa9d1fba9f71905bb34aa427ca | 3 | 0 |
| Suspicious Set Value of MSDT in Registry (CVE-2022-30190) | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 08f4372e76fc0605c4e338fe71c656a918209c7ab03da84c96c5f8d99d4bc241 | 3 | 0 |
| Suspicious Spool Service Child Process | Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) | Sigma Integrated Rule Set (GitHub) | 2445eef8bbfc5d52245783f3d3a39b67d2a9e863e057b9710358f473c4a0d9ed | 3 | 0 |
| Suspicious Use of PsLogList | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2a651ab66176323248a00a1c8f2e0c1d6e82ebbcb2c316bd3a1bce5391cc6b28 | 3 | 1 |
| SystemStateBackup Deleted Using Wbadmin.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 9aae4742b47a403c0d2871d344a6076cd6b797a267bbe2d0b85e607927ef3dc9 | 3 | 0 |
| Taskkill Symantec Endpoint Protection | Ilya Krestinichev, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8cab8c8e34c5bf6c9ad0f509a28ebf3139e2d73c3b69078e57a1a63a0d5465f3 | 3 | 0 |
| UAC Bypass via Windows Firewall Snap-In Hijack | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 6394e0e9f8661be1f0a1006d948fbd4f1430543e592ee7fb29a34a6c6fded839 | 3 | 0 |
| Usage of Sysinternals Tools | Markus Neis | Sigma Integrated Rule Set (GitHub) | 1e33259c56ec61269739a1b6f2e7e13760703a505f60b194702ff716a6fe0fbc | 3 | 0 |
| Use Get-NetTCPConnection - PowerShell Module | frack113 | Sigma Integrated Rule Set (GitHub) | e69f9e383811e595a9561c923eddfc5df48f9e54f4df8fa281fcef6b501048ac | 3 | 2 |
| VHD Image Download Via Browser | frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | Sigma Integrated Rule Set (GitHub) | cc2b06ca0a290be229ec488dee7f065eb88793eebdff5809591bff7291d6da7b | 3 | 1 |
| Vulnerable AVAST Anti Rootkit Driver Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e9c74d53713106fb02366cb62d020afa0660b87c13561de9c43553b46bcb0d06 | 3 | 0 |
| WerFault LSASS Process Memory Dump | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 698bc272479b99ab8911efeb4b32e6de83a3fa47b310e5829ce6e8ff5702b1d2 | 3 | 0 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | fd0a272556e2d962e1ecfb8d8fa8ab6f1d728c870db382b0b56dc04e7bf20317 | 3 | 0 |
| APT 37 | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a5976bfe7c4ff52e5b70711a7444670a4f2d462e99bd30d3c6950495e32018ac | 2 | 0 |
| APT27 - Emissary Panda Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 49512d886fa3e8d9595464c693fad4fb93dcbdbc537cda049dacce772f11f38f | 2 | 0 |
| Active Directory Database Snapshot Via ADExplorer | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 43d5cafc2ab99baaf01e5514d320d214797cff1d52b8ad3336702522499ae5c4 | 2 | 0 |
| Arbitrary File Download Via MSPUB.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a70e1836669aefe4c5a9b48179c7a3c4857505b87dbf8a3bb424d268fa80d857 | 2 | 0 |
| Arbitrary File Download Via PresentationHost.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffb4d3b820e87f926948fb36dd6a790bd67e547ee318bb322626148b736139f7 | 2 | 0 |
| Arbitrary Shell Command Execution Via Settingcontent-Ms | Sreeman | Sigma Integrated Rule Set (GitHub) | 1eb1f4796a2c05305c0e6fb961bac3fd02861464a7d6bc3d1a35461737101c81 | 2 | 1 |
| Clear PowerShell History - PowerShell Module | Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 2169a242b9139d712fde6f31781a606f5f50af9d5dd7474d415ae08a0cf96fb7 | 2 | 0 |
| Code Executed Via Office Add-in XLL File | frack113 | Sigma Integrated Rule Set (GitHub) | 166571671ff0b50e7d6b641f7490790a2762897cb0cbbe9e2d489edb3d71010e | 2 | 0 |
| Communication To Ngrok Tunneling Service Initiated | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 66c8b63b56d52c8e957113c3f77712e8f387682164afca0cd844ddf44255d5a1 | 2 | 1 |
| DNS Query To Devtunnels Domain | citron_ninja | Sigma Integrated Rule Set (GitHub) | 254c09638219aa6696f2e2081c648d3dd50771345f11602b8537de5853d0534e | 2 | 0 |
| Enable LM Hash Storage - ProcCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8c9b1d4e376bf1355fb498b17e20c342a11d72a3a856570a9b876c049aa9da6b | 2 | 0 |
| EventLog EVTX File Deleted | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b0d9d7e9525bf270536360deae4be670fd711eeb30bc51caa119fb9f61e3293 | 2 | 0 |
| Excel Proxy Executing Regsvr32 With Payload | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 368433c7157e0778f035c6c8b5a6cd0f273d860606bfa36f632144c7050b4c7d | 2 | 0 |
| Excel Proxy Executing Regsvr32 With Payload | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 769fe648255c0a237ee125f74d2685b54cf7799f6b5cffeae1f2fee47164091c | 2 | 0 |
| Executables Started in Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | 934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2 | 2 | 0 |
| Execution via stordiag.exe | Austin Songer (@austinsonger) | Sigma Integrated Rule Set (GitHub) | c012b058c607c697ab3013783a9a418dd2b233fa1f22ea4f8160238a19c65577 | 2 | 2 |
| Findstr GPP Passwords | frack113 | Sigma Integrated Rule Set (GitHub) | 6403688c88307224c6c37547c26a3634868d77d08502d77529f03daacc410a51 | 2 | 2 |
| Fsutil Behavior Set SymlinkEvaluation | frack113 | Sigma Integrated Rule Set (GitHub) | b479dbc5f99a688a740ef0586d12870ce1e3a4a5449727bcb3c11bb1510b6e8e | 2 | 2 |
| Lace Tempest Cobalt Strike Download | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 030738beefd23cc9aa74c61d31df8c293d5a9200d3ef5aafb5c65d9dd6ecfdb6 | 2 | 0 |
| MavInject Process Injection | Florian Roth | Sigma Integrated Rule Set (GitHub) | f7232cef6ad5bca28b27340de367589ba9ef580c1abb6dd69d8f2005a6473a4d | 2 | 0 |
| MaxMpxCt Registry Value Changed | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d70e32bf8761ec29c3041975705f1e2fae75bceb86dc470f68fb5470998ebbc | 2 | 1 |
| NTDS.DIT Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 390c3febc49c9a0fc552532f457e9efc5156bdceeafb613044d35aab29b7124f | 2 | 2 |
| New DLL Added to AppCertDlls Registry Key | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 4bdead82e3a6a57ba296d62ccea3f3cd1086e50cb50a9b58540d3e065c5c756b | 2 | 0 |
| Office Application Startup - Office Test | omkar72 | Sigma Integrated Rule Set (GitHub) | d30a6ec556476631a5a9c60d8741c765b1c2e39b6c80bda1ad8bff961bbdae9a | 2 | 0 |
| OilRig APT Activity | Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 01364fb1c5ccb780456530afa742fccc7c5de42d1cbac829fd6f4c435888f499 | 2 | 0 |
| Potential BearLPE Exploitation | Olaf Hartong | Sigma Integrated Rule Set (GitHub) | edf3ca6a0c573fb6b3eae8a8a4a6dd129c1ddebc37dc457690fae45e9594a950 | 2 | 1 |
| Potential Compromised 3CXDesktopApp Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae1d35c3cca80cd7625db9f23535aeb938e4401d7c63e6a938329fb4c3ccf55b | 2 | 2 |
| Potential Dtrack RAT Activity | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fbcabbd5b0fb4855de3b0bcf6bd58239facf0733ad46f2269ef540d344acb5bb | 2 | 0 |
| Potential EACore.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bae93e846c7f1124da8273ecf31e2f1ae30f1122c5f52d1eb649abe9138e34d2 | 2 | 1 |
| Potential Initial Access via DLL Search Order Hijacking | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | e6d0eea0a68b5abc52d30a4b096e43a13457c330945c48f0e430af2cc2e61bfb | 2 | 0 |
| Potential Pikabot Hollowing Activity | Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | dfbd5340c469a9808e1924fb200f0b7bc6a8c9064e9f1f3f31aada63ba5a81f8 | 2 | 0 |
| Potential Privilege Escalation Using Symlink Between Osk and Cmd | frack113 | Sigma Integrated Rule Set (GitHub) | 8cbfa46e76433375262d4d1f1dc8b0a83074e3cd6f258685ddb5157686b1bf26 | 2 | 1 |
| Potential Provlaunch.EXE Binary Proxy Execution Abuse | Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | f004fe52f11323fd4e5294e8a42fcf163c1a8ae373c9be8ff16bd9aa0f8fc321 | 2 | 0 |
| Potential SNAKE Malware Installation CLI Arguments Indicator | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 776160f093a30c394ee06208302af31972f09fa9e8f5c8513d5875805b1036fa | 2 | 0 |
| Potential WizardUpdate Malware Infection | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | f0965e89bec6836e03f26455041fec4e6e308a4db39383ef3ae83dbc3559b8a3 | 2 | 0 |
| Potential appverifUI.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8964e214caef205f5e328fb9bc48c38223b6d8e1d6491c5427230ce74c9e0904 | 2 | 2 |
| Potentially Suspicious Network Connection To Notion API | Gavin Knapp | Sigma Integrated Rule Set (GitHub) | 9714bc1425872c757c1c3e386bccbb903df68beb44462bae73a91d08255201f0 | 2 | 1 |
| PowerShell ADRecon Execution | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 8f33121f45ae912b9307a03c4dc5d5309016b47eb4b2d937c74e55cda019203e | 2 | 0 |
| Powershell execute code from registry | Joe Security | Joe Security Rule Set (GitHub) | 22f5c0268236153aea7f17b7fcb4e9a2ef903343534a9c2a98b5c1f8918bb9a5 | 2 | 0 |
| Powershell launch wscript | Joe Security | Joe Security Rule Set (GitHub) | 2daf820a836b6725473b0e6ef3075aff5f25c39f1613ea91e098fa179d7a30a6 | 2 | 0 |
| Process Memory Dump Via Comsvcs.DLL | Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 31766028cc56afd6db535a222ec9ffa3a26c485dcd759324e890434acf17a601 | 2 | 0 |
| Ranumbot Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9adcf2b748c0913ce46ec2734223045df982e2a86948b8740a48edd412720e70 | 2 | 0 |
| Remote File Download Via Findstr.EXE | Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b25ab86e0ba70b3af5d0a483821d7d39719e5572fd839640d5ae4c266df66177 | 2 | 0 |
| Rename system process and copy to suspicious location | Joe Security | Joe Security Rule Set (GitHub) | ae5e05ff7a2f5d6e654578b73a1ddc50baeec856b0ab003ad6852c80beb8b068 | 2 | 0 |
| Root Account Enable Via Dsenableroot | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 9ed5a03fa44e591022f4c2ffac36da6526e31a9f00e09e00d3ff80c78dae0515 | 2 | 2 |
| Rorschach Ransomware Execution Activity | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1dd22bc99ca7b86ddefd8510fd40122a8faa3a7929e23cb02ca34043f20435c8 | 2 | 0 |
| Run Once Task Execution as Configured in Registry | Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated) | Sigma Integrated Rule Set (GitHub) | a670267e081a215d8a32b1cf6cb799023ff0667dc9da2d474cf20a91e4f2a2cc | 2 | 0 |
| Sofacy Trojan Loader Activity | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | c070e2f2f992c0ce37ed49db72f4c8ea1c3a9cc853e61535bd2625b5ae688b78 | 2 | 0 |
| Suspicious Application Allowed Through Exploit Guard | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 29b522d95420783d0a63b55dbd3354b097998d44c509743818e59c058b508fba | 2 | 1 |
| Suspicious Command Line Contains Azure TokenCache.dat as Argument (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 348e3e3f1264df658d94d7b48e449838ca835512c35891520db55b7b1f16160b | 2 | 0 |
| Suspicious CustomShellHost Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 540a06a16bc10e1e472979a3ae3af251fd81638d7e2df1eca74f74a3c9bcdfae | 2 | 0 |
| Suspicious Dump64.exe Execution | Austin Songer @austinsonger, Florian Roth | Sigma Integrated Rule Set (GitHub) | 5b1f1b40ef6ce717bbb2c8bc6cae3ad4d4530c3d907caaf29c131d784777fc01 | 2 | 2 |
| Suspicious Get-ADReplAccount | frack113 | Sigma Integrated Rule Set (GitHub) | 478761747645c9124bc13d30f52628821f5399cfaa18aa7299711991ff610f50 | 2 | 2 |
| Suspicious Program Location Process Starts | Florian Roth | Sigma Integrated Rule Set (GitHub) | c593fd1eac248d2f05a155e6c8ef2682b9022a12bc03104ff8e9e7c40f585268 | 2 | 0 |
| Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 665e2dd3eae60ab7cd97ffda7adaa13425a564ed16f8bba8bcfc43b8a5023919 | 2 | 0 |
| Suspicious Rundll32 Activity Invoking Sys File | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f4b9a5aba26ac1d465f55970b8defeab4a4704def7889e6c296b0f33cd1fad27 | 2 | 0 |
| Suspicious Rundll32 Invoking Inline VBScript | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 40e3e97976c84f512b11ec485b8dc54ce731851327fe05beff6b567fdfe2b91b | 2 | 0 |
| Suspicious Shells Spawn by Java Utility Keytool | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | b7e93e0475f0c46a1c6bfd3f1f401e0a34bb9c8d73e2308101ed1368b5189de0 | 2 | 0 |
| Suspicious TCP Tunnel Via PowerShell Script | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 404fde37527518c0d7cf90ad471c4252ad236b709821c13171d3cabefd1af2ba | 2 | 1 |
| Suspicious WERMGR Process Patterns | Florian Roth | Sigma Integrated Rule Set (GitHub) | 993d5c8b52bb82b1de2604204add68928f1fe311e3072e4e053d6dfb969e33e7 | 2 | 0 |
| Suspicious Windows Trace ETW Session Tamper Via Logman.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 780ed5be93f71a397b1b6c9d95912c0781c2ed9114eef8fc5aec854bf80b1f2c | 2 | 2 |
| Suspicious X509Enrollment - Ps Script | frack113 | Sigma Integrated Rule Set (GitHub) | 77e34e5ddd682fec92906cbab4f1a75be4ca9f043f76d91925f61910a08af10c | 2 | 2 |
| UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 777e78408dd5e81cb40b0dd4b18dc729cd882538beac8337067e6a2ceb940493 | 2 | 2 |
| UNC4841 - Barracuda ESG Exploitation Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ee7d4dbd9f33900a9a93c377bedcfab9cbc2a4baabbbd764d436f767635f603d | 2 | 2 |
| Uncommon Child Process Of AddinUtil.EXE | Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) | Sigma Integrated Rule Set (GitHub) | d07c0111ca994bb6ef90efc7d6bfcc5a20408747015d99a9bb8d5fd462868d91 | 2 | 0 |
| User Added To Admin Group Via Dscl | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 053a1a9c29702a8132865b251a7d79230d06f3985fe5d8f799079ea3f6748912 | 2 | 2 |
| VolumeShadowCopy Symlink Creation Via Mklink | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 3b5b0346a9d3b5b510bfd33a67662439c44419ada001c73160bdcc75d76b2d3b | 2 | 1 |
| Windows Credential Editor Registry | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6ebbbc78481d8b5c75483ddb2c7045a006678cbfbd915c2e6d0c0e5d2dfb736d | 2 | 0 |
| Writing Local Admin Share | frack113 | Sigma Integrated Rule Set (GitHub) | e62e7dc0b12394b319cbb70f3b434d86a1a4e97c05c4cf3939efba22e4c603c7 | 2 | 0 |
| ADFS Adapter Process Spawns (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 5b090817d20c98f190eec819a6c655b46a96324e58e3195a7f9c5e076fae6acb | 1 | 1 |
| Access payload via nslookup txt record | Joe Security | Joe Security Rule Set (GitHub) | 67bf4076420cafbe2c3dc3fc86fdd91ae99b1405541272e1e5761f827675c619 | 1 | 0 |
| AppLocker Bypass via Regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 2331619a69009fbe3cead24a909b7e9d42ffb14b71caa6d83ee04fce114b10eb | 1 | 0 |
| Assembly Loading Via CL_LoadAssembly.ps1 | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aa273ed357d9327c9c8131f9175a347aa2c8c8fa545e8642b56404eb76668070 | 1 | 1 |
| Automated Collection Bookmarks Using Get-ChildItem PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 9fa49f4a1e9253459c99846a03ce69d8e029b42640efba5e158e2455b6c0f5fc | 1 | 0 |
| AzureHound PowerShell Commands | Austin Songer (@austinsonger) | Sigma Integrated Rule Set (GitHub) | d745e174b185bed59eeb7c26c061f86404d4a74607b523973b17ee01d22e665f | 1 | 0 |
| Cerber Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 73c0a64c5562e339d22b6dd8487f58f08f817a078ee2d99fa508f2bcec9487d2 | 1 | 1 |
| Certificate Exported Via PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5d6cbfca798cb6cc7bd8029cf8dda1f2096f0f7f9a422bdde483cdc370a4ab12 | 1 | 1 |
| Cloudflared Portable Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0df6b3969a48add8dac066e0fb800e67f9c0f718cc0e73bcb8530f3ba4834c15 | 1 | 0 |
| Code Execution via Pcwutl.dll | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | d893a429c2ce543e3a265b3794e1845676e899c8dab1ac888aca5607d9821ae7 | 1 | 0 |
| Create Volume Shadow Copy with Powershell | frack113 | Sigma Integrated Rule Set (GitHub) | ef1d2531cf3919c8ed1ffd678acc8325c41225368f4add8ce5d727f9d4f742ba | 1 | 1 |
| Credwiz util dropped by mshta for dll sideloading | Joe Security | Joe Security Rule Set (GitHub) | 47b76425766ceb0d5f71f5b737ae4660dc4fcaa91295131395a542596953ef67 | 1 | 0 |
| DLL Execution Via Register-cimprovider.exe | Ivan Dyachkov, Yulia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | dd9b6910a5e264c2b56a7a735f0cfc2cab9c341775db4a260bbadf7815d05772 | 1 | 1 |
| DNS Query To Visual Studio Code Tunnels Domain | citron_ninja | Sigma Integrated Rule Set (GitHub) | ef7875627109402da8f45dc9d58e5fa63734724bd100987579c6d36e1cb777ae | 1 | 0 |
| DarkRAT Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5157203e484dbfa217f40f7089460a4c6713e54ef44ca66a31ec7d5c820f0d26 | 1 | 0 |
| DiagTrackEoP Default Login Username | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef6b78708541778890f149b517c7191263263f7e3d08908ab5d2e6d2b370d91b | 1 | 0 |
| Diamond Sleet APT File Creation Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ddd1dcf7e7fcf2883a62f25b86d45a03612f001c32620254eb246b8e78d07765 | 1 | 0 |
| Discord client stealer (AnarchyGrabber) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d513011ab49524e73ae98c85b1f902158f55f0412551679d5acbb03eee68c4a3 | 1 | 0 |
| Diskshadow Script Mode - Execution From Potential Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fd45ac7bbd66ed6cff7101650b2d60441b34f3204588d1fa86847c84ab860438 | 1 | 0 |
| Diskshadow Script Mode - Uncommon Script Extension Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b250de19a86e99fc74ff1e9c7318641cef02be674ed262872fc9366d3cd31b8b | 1 | 0 |
| Dnscat Execution | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | c625578e8b4d44c52ee346e1df82116ed7e4896e4caad93d0fdb7fba487dbfdf | 1 | 0 |
| Enable LM Hash Storage | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5fe89d5a63ca7908f9aa0183174c641eec6cff790082c2360a275ff0b3443c6a | 1 | 0 |
| Enumerate Credentials from Windows Credential Manager With PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 0470d9b3a45f6fadd111284469ea5f0dc2a9e4cebf5973ac13ec483c7c1e072b | 1 | 0 |
| Esentutl Steals Browser Information | frack113 | Sigma Integrated Rule Set (GitHub) | bce05b02ed7bf1572470a2ea1548ecf7c62b4acf1b30aad45e3a0dfd7aaa010b | 1 | 1 |
| Esentutl Volume Shadow Copy Service Keys | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | e49ec9683ea49e495920eaed6f515ba9a16d6329c30e123a1b7fb158f03004fc | 1 | 0 |
| Execution via WorkFolders.exe | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | 50d292f837567defe72f24a4b91ee437943cd8f35d5aedcf15979d3d253d38e9 | 1 | 1 |
| FASTCash 2.0 - North Korea's BeagleBoyz Robbing Banks | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4f4f4d2ef9741a90d68b3e1ca5439694604fc80bcb02c3cbde70096562cc6000 | 1 | 0 |
| File Download Via Windows Defender MpCmpRun.EXE | Matthew Matchen | Sigma Integrated Rule Set (GitHub) | 0de6e296fdb440317bd15b3aa29b6d99b17b08dea792264888e93fa3c62f9514 | 1 | 0 |
| File or Folder Permissions Modifications | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | d1b3909fc498977f2008254e9e38903c16568e7a8aaaeb2eb0d1d4f155373408 | 1 | 0 |
| Get-ADUser Enumeration Using UserAccountControl Flags | frack113 | Sigma Integrated Rule Set (GitHub) | 9aed66a645e706e68d91f5f6698e41f6dcbe96ba3a4c700baf46ab5dc42733f9 | 1 | 0 |
| Goofy Guineapig Backdoor IOC | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 642912e64596ca5c6f18ce6dc495411e4cb44dd5a9f266dd6200a28758f293a3 | 1 | 0 |
| HackTool - CrackMapExec Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3b089e7f895f7da0d05f361a5815b3fb843bf243e11174993b9d167b40cdd5ba | 1 | 0 |
| HackTool - Dumpert Process Dumper Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4f4552b72d1fdf1daa9803088eabda70a1a8259d5eae424fcbf3b7edae985b63 | 1 | 0 |
| HackTool - Impersonate Execution | Sai Prashanth Pulisetti @pulisettis | Sigma Integrated Rule Set (GitHub) | ebaee3629e5eae35e0043057b3b0fccc4f2831eaadec57c3280dc181b3683c7d | 1 | 0 |
| HackTool - Potential CobaltStrike Process Injection | Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | a95251178853987552aca691c7ec1d2e31c91213e0e11f80fd3e7789a1234894 | 1 | 0 |
| HackTool - SharpEvtMute Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f4ab47a48c30eefe0bd92c3fe92c7f2481803dfb5833689959c5f32bff77dc2 | 1 | 0 |
| HackTool - XORDump Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4abc044da118e9866fcf5bc9e7da198eb9947cb37219f7a3b35126a70e5dbb60 | 1 | 0 |
| Hijack Legit RDP Session to Move Laterally | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 69573f6b1ce64e7122c33aec2473e20ddf52e90291907115ac5515a58660b7dd | 1 | 0 |
| HybridConnectionManager Service Installation - Registry | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 6ba69204045297b2467cffd2d3908dc1588e213dfeaf62bb11c1778c9d93dcf0 | 1 | 1 |
| IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ada7805a558c75196a7ac0641a9aa087fd9074927fbf34b382103198130c318a | 1 | 1 |
| ISO or Image Mount Indicator in Recent Files | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c900f66da95fa26372d3215d39bd89b49e90062a492f060cb46b92415f37ba3c | 1 | 0 |
| Invoke-Obfuscation CLIP+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 96f143150cf12b082ad12ff80043a40ce507e50dbf6f4c6d68fb1f4f0cbe1771 | 1 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 3481fdd9c7d7aa343ba20022ceec206525f19fda50c317ba5e59f6996102f4ce | 1 | 0 |
| Invoke-Obfuscation Via Use MSHTA | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 9e9633eb15bfbbe3ed0b8c01989e6bb38f91bdcfe4de5867c801ab39f781cce6 | 1 | 0 |
| Invoke-Obfuscation Via Use Rundll32 - PowerShell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | c7fc78f9f9afd5b257d906bddd5224d85c22d33c73eb36c94c9ee19f427defb0 | 1 | 0 |
| Linux Doas Conf File Creation | Sittikorn S, Teoderick Contreras | Sigma Integrated Rule Set (GitHub) | 827cb8c225f337fd4b3c18389b600f02afbfe9b6ac6bfd1781b69b08b1107a74 | 1 | 1 |
| Live Memory Dump Using Powershell | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 843f3a30bd6700683442b21bbfb20c59afbc32cc978b84e9b713a85d39d8cc90 | 1 | 0 |
| Local File Read Using Curl.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2113fad72506f5e6808672c78a935f15a15ee2ec5c1d8f8af047e87b6200397c | 1 | 0 |
| LockerGoga Ransomware Activity | Vasiliy Burov, oscd.community | Sigma Integrated Rule Set (GitHub) | 0c0ba5aebd0db3facb25385b2dbdc2b2a34be391da1993bc8a02c689608fba16 | 1 | 0 |
| Microsoft IIS Connection Strings Decryption | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 20a23b3742adf40aa55fbac8db826b73873b31aff8366fedd4147c3b646e2afc | 1 | 1 |
| Moriya Rootkit File Created | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 4a9ddb920ad6eab5d240fd46b4a22a2839ea161414fab29fdcd567a468de9295 | 1 | 0 |
| Mount Execution With Hidepid Parameter | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 033a287f5250bcca41748bd549bfd7ef1e178a7fcdfe57ec76157827609648d4 | 1 | 1 |
| Mstsc.EXE Execution From Uncommon Parent | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7a00b39dfe303867f3d10fb5408cde9627f21a20a81e999a4a4580cf8e79fb2a | 1 | 0 |
| Outlook Macro Execution Without Warning Setting Enabled | @ScoubiMtl | Sigma Integrated Rule Set (GitHub) | 2f07ac019282aa31e76811036780c9cb961d1b01262e2beeea4f9f7c17a906eb | 1 | 0 |
| PSAsyncShell - Asynchronous TCP Reverse Shell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c810fbc7a849c84715e0916659832d96fe910348f20d5fae1d5690787d8b4646 | 1 | 0 |
| PUA - NirCmd Execution As LOCAL SYSTEM | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 40d85a90edfb89bec5045c66b822890370973192e8b0e6b11d87926d3c70c18a | 1 | 0 |
| Persistence Via Hhctrl.ocx | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 619bfabcf9aaef1ece918445b19fedf232ff43505e0243efe19a4570d337eeb5 | 1 | 1 |
| Phishing Pattern ISO in Archive | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2df698bbd801db84c12100296dbba0869a2e6936088abee3147315e5617f7fbf | 1 | 0 |
| Pnscan Binary Data Transmission Activity | David Burkett (@signalblur) | Sigma Integrated Rule Set (GitHub) | f85fc8e3b59a0650920e8626c3ab8f8e1aee6c2a45989f0048db72682e95717f | 1 | 1 |
| Potential BlackByte Ransomware Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 84b39fa5fbd9d5726548c90280f53428562a3fef57fff40cbb48ae96cbd05757 | 1 | 0 |
| Potential DLL Sideloading Using Coregen.exe | frack113 | Sigma Integrated Rule Set (GitHub) | 01fcc70fa597067bcc483ccdcc3b4008c92d1812ea8c77cdf86a2bd969164c8b | 1 | 0 |
| Potential Encrypted Registry Blob Related To SNAKE Malware | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c7a9135a7495cc269f3b10cb8dab6dce6e5938a53d6fa118dbb6229069b5df38 | 1 | 0 |
| Potential In-Memory Download And Compile Of Payloads | Sohan G (D4rkCiph3r), Red Canary (idea) | Sigma Integrated Rule Set (GitHub) | 000961bac8191e7ec977b21db664763efb7130c56f4cc8e908bfd4fd24f97824 | 1 | 1 |
| Potential Qakbot Registry Activity | Hieu Tran | Sigma Integrated Rule Set (GitHub) | 2f9f70c567a86353fa5327024f1dfd5d91b237f3883d7158024bf18b7ae8010c | 1 | 0 |
| Potential RDP Session Hijacking Activity | @juju4 | Sigma Integrated Rule Set (GitHub) | 9486aef25aa918db09425c70f1f87b5676acd4c8dd01ba9b61383b52607cfa1a | 1 | 0 |
| Potential RDP Tunneling Via Plink | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aae2c065eaa9be8624c572fea73afd6a811be26c3caaca6a0da56c0f62209c2b | 1 | 1 |
| Potential WerFault ReflectDebugger Registry Value Abuse | X__Junior | Sigma Integrated Rule Set (GitHub) | 6d7e74ad7e7edec2929f2aad43e0edb6f0cf204988f5900030550826aa7cb146 | 1 | 0 |
| PowerShell Execution With Potential Decryption Capabilities | X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b54dd3eade714800b0c55aea4fbfe0f786ec6e18dfc8d92c7ea1110c22a65698 | 1 | 0 |
| PowerShell Set-Acl On Windows Folder | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cbd27f1b0c7bf5664106f29f78225d4289d95c4885067397a12321e2a2e052b8 | 1 | 0 |
| PowerShell WMI Win32_Product Install MSI | frack113 | Sigma Integrated Rule Set (GitHub) | 886a6cdfbfcbcfcde30e44f3ad1ba09800d648cd3e218d41751c49d0b38913e7 | 1 | 1 |
| Powershell Add Name Resolution Policy Table Rule | Borna Talebi | Sigma Integrated Rule Set (GitHub) | 6a0480b5e9f46ad6fd17ff8a2c5a0d95cd8d48431fa85eb3e94646210033a9a4 | 1 | 0 |
| Powershell DNSExfiltration | frack113 | Sigma Integrated Rule Set (GitHub) | a40151c9a2ec5e5671945aceabe6ad097c67f4d30456644230d8f9a37511a161 | 1 | 0 |
| Powershell WMI Persistence | frack113 | Sigma Integrated Rule Set (GitHub) | d31a6afb995dab0473ccaefae327155cd4ba87afbabf6a872553475c50bb7182 | 1 | 0 |
| Powershell delayed execution via ping command | Joe Security | Joe Security Rule Set (GitHub) | 9a4875b9a93f7ed6dd4f6259f58f0ff372f1351c267c6d112364a3064aeae82f | 1 | 0 |
| Powershell run code from registry | Joe Security | Joe Security Rule Set (GitHub) | 09cf140e4816d8c5bcb37b98e996e455d8127cbccdf4287901654f824cf63f13 | 1 | 0 |
| PrintBrm ZIP Creation of Extraction | frack113 | Sigma Integrated Rule Set (GitHub) | 7a22f5dc1a6c3702cbafc1bf0a6cfca9d9afb689ba7155f9f0675dbc68698583 | 1 | 0 |
| Process Access via TrolleyExpress Exclusion | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 98524990b8add9e2e1a7f6bda8a9d1789d97cf82993ffcead8c029681bdd155f | 1 | 1 |
| Pubprn.vbs Proxy Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 6c22680943e5f2801362d1a1306680417fe8785a043fed54683a2ca7c75b3666 | 1 | 0 |
| Qakbot Regsvr32 Calc Pattern | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 22cd867b42e046d6c867cb73d487647824bf02941580376e31862da525267f6d | 1 | 0 |
| Query to GoToAssist Remote Access Software Domain | frack113 | Sigma Integrated Rule Set (GitHub) | 543100b86d56272595d663cd87539f09fb01e9ce06b5d847c2bc9ad88710b17f | 1 | 1 |
| Query to LogMeIn Remote Access Software Domain | frack113 | Sigma Integrated Rule Set (GitHub) | 44c5e7c7bdc6965af0ddf07703f708dcda09e583e4c473d7b247067132a8704c | 1 | 1 |
| RDP Port Forwarding Rule Added Via Netsh.EXE | Florian Roth (Nextron Systems), oscd.community | Sigma Integrated Rule Set (GitHub) | 70c15fe82eef73d893f59ec3589b484917b941f103c9c29048472576af7e8cc8 | 1 | 1 |
| Rclone Config File Creation | Aaron Greetham (@beardofbinary) - NCC Group | Sigma Integrated Rule Set (GitHub) | 76a893bef53690d6ce9764427bd65300fe3d50440086afa77a1b15d3f777d9c1 | 1 | 0 |
| Regedit as Trusted Installer | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 40b85d8543b5dc00f22211f0dd2f05012b435d38fd8e170370986c189a9b39f2 | 1 | 0 |
| Remote Thread Created In KeePass.EXE | Timon Hackenjos | Sigma Integrated Rule Set (GitHub) | c7b5dea156bee8e6c2b83c210e6135eea01b42f8c08ec3f18fd04046036bf973 | 1 | 0 |
| Remote Thread Creation Via PowerShell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 780e368b7c4c2665f3cbcc6184c03b9147726ab5239f4c01341cbc02775dafda | 1 | 0 |
| Renamed PowerShell | Florian Roth, frack113 | Sigma Integrated Rule Set (GitHub) | 52606fbb97633e0a2c2581ff33bcb2bb212da3c00b02cbf971e5a0aa2f7b4cab | 1 | 0 |
| Run CertUtil from suspicious location | Joe Security | Joe Security Rule Set (GitHub) | d10fe75d3edfe38a67c070614eaf661fe0d608b0d0b81ed88ad9673766b25eba | 1 | 0 |
| Rundll32 JS RunHTMLApplication Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 343b001a9d0d8504e1dad1dec564de589c763ce6c3c86ccf9ad3ec5835a3e879 | 1 | 0 |
| Scarab Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c3b33a6ba821d844c3bfc5a217489aca877dc9bc6c76c84e4d8cabd6a320bd7b | 1 | 0 |
| Scheduled Task Deletion | David Strassegger, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 53299fc80451ec1c374dc7dcad4c9aee3f98bd1defb1b23e02900f2cf17d8c14 | 1 | 0 |
| Security Tools Keyword Lookup Via Findstr.EXE | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 3979f492e85f1b955d588204a18591d00902657e2d09f9133ad0a2f5d07cafd1 | 1 | 0 |
| Suspicious Cmdl32 Execution | frack113 | Sigma Integrated Rule Set (GitHub) | cf2baf60d63943d7200da28391b4e63298b2d186faf45b499b001ca84dc882ea | 1 | 0 |
| Suspicious ConfigSecurityPolicy Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 5b2e321b4ad7aa35a23d2181a655941dc96ea260435a6e1663158a7b2182a9fe | 1 | 0 |
| Suspicious File Download From IP Via Wget.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8a77cbb3343b934b17b221810b1278ca68bd24144e2c569763803fe21e9983f4 | 1 | 0 |
| Suspicious File Event With Teams Objects | @SerkinValery | Sigma Integrated Rule Set (GitHub) | 0afc8b40475b4a11fb033ab7f2b1a3a137953da821273c50bc1edc3839fcc085 | 1 | 1 |
| Suspicious MacOS Firmware Activity | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 71c75c172863712967d00b928953180528e3cb3b663a1722518a9271c3538625 | 1 | 1 |
| Suspicious Modification Of Scheduled Tasks | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e8ac8f2b500adefbe25a5aea82f02f8c8fe15388666d33129f8fc614ca06821 | 1 | 0 |
| Suspicious Outlook Macro Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 76f0ef9a1d3093e7922e73e38b050014d69a703c2cdb6aa842fe5fb1040cf4ce | 1 | 0 |
| Suspicious Response File Execution Via Odbcconf.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0c2953b482652803753bde4e28362ae1679c638162190e47c40757d09d8910cc | 1 | 0 |
| Suspicious TSCON Start as SYSTEM | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef15288703ebef641a550ecf3efe69b3c2eae2d9d03b9828ebc27e4474bd138a | 1 | 0 |
| Suspicious Use of Procdump | Florian Roth | Sigma Integrated Rule Set (GitHub) | bf45bfecf2446b7f2b7904bc35a7006ea9bfae3e8ba4d6ab35dfcb00095b0b9d | 1 | 0 |
| Suspicious ZipExec Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 4299b17cc3fb6f5ed2bc90d612e461452723118f5b71a85231879dcf7c197ead | 1 | 0 |
| Symlink Etc Passwd | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e6c712d0b47b9ca26b1493414298a9db2aa7d1a7a22ae1dd2bbe3d98be6ebccd | 1 | 1 |
| Sysmon Driver Unloaded Via Fltmc.EXE | Kirill Kiryanov, oscd.community | Sigma Integrated Rule Set (GitHub) | 7729210ddf59514a2d5ae300b6b3c3cd9b836719c40091d770a3b08bef6d735d | 1 | 0 |
| Tap Driver Installation | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | 7bd4ba31d00dc2c285a409cd7939611accc6c2934992f8e9cd0ce8c32ad0c40c | 1 | 1 |
| Time Travel Debugging Utility Usage - Image | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | f2baa9e77eedc1ad2bcabc55acff8e7d6273352d961c3bf3b07d58b3b7fd8bb7 | 1 | 0 |
| UAC Bypass Using Consent and Comctl32 - Process | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 45716a61474d8af25ba7318e0bcc946490ebaf1a0ea6c9a73d6fa3d572e58ae6 | 1 | 0 |
| Uncommon AddinUtil.EXE CommandLine Execution | Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) | Sigma Integrated Rule Set (GitHub) | a3b213c5717136a83029dc1cdab2fdd22660f0c66db8fea94a7889db664af0ac | 1 | 1 |
| User Discovery And Export Via Get-ADUser Cmdlet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4e63c259cab70634dcce7fc3f41cbcc1cf49188d52de7590ab2f7a3aa6e47911 | 1 | 1 |
| WINEKEY Registry Modification | omkar72 | Sigma Integrated Rule Set (GitHub) | 585081efe7df5aaf634ee8b6187b3f8adb0c8156cbcc8f25867ffec4654fc697 | 1 | 0 |
| WMImplant Hack Tool | NVISO | Sigma Integrated Rule Set (GitHub) | 6b93b7bce89874009dd0ecb10a52f610736bcb6d33fe425d9295732660f6b7ab | 1 | 0 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 226bf9a98dfb94416c0f984ecfd7e566a55fd0efe2af4257055b1f1be1501377 | 1 | 0 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236 | 1 | 0 |
| rundll32 launch mshta and run script from internet | Joe Security | Joe Security Rule Set (GitHub) | 529f06043b5ec852cb07ebe7880eaedad5dfcb5b041100dd85458b5ae5d43c1c | 1 | 0 |
| (SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] | SOC Prime Team | SOC Prime Threat Detection Marketplace | 2c660e94b9dd36c78c57a2250c28533823a79106701103f8b2a662501cc2a379 | 0 | 0 |
| (SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] | SOC Prime Team | SOC Prime Threat Detection Marketplace | f45ee46c268733c28e2e456cd180b06976bca8e8fc0819a141d83778e7e6908b | 0 | 0 |
| A New Trust Was Created To A Domain | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | f354ac1a99792012ceaef04ee732d816f1a2d9dee2e30492295b794811ed0e46 | 0 | 0 |
| A Security-Enabled Global Group Was Deleted | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | bf3e787c52710338f2de4d60dc5d8c182f8014d194883f95053611e83cb06306 | 0 | 0 |
| AADInternals PowerShell Cmdlets Execution - ProccessCreation | Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b16d67523f0579e7a519f3728bfe10cb26d5526cc90e1b975b33341e51ba7854 | 0 | 0 |
| AD Groups Or Users Enumeration Using PowerShell - PoshModule | frack113 | Sigma Integrated Rule Set (GitHub) | a205be34057679bd055b1f3cb3fd18d4d31f2b0bd776288ccba6be10b5a818e0 | 0 | 0 |
| AD Object WriteDAC Access | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 58cec962c267e019fa838d36e02695d7254409214165d3ac1363b49e8711131a | 0 | 0 |
| AD Privileged Users or Groups Reconnaissance | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 14cbefe2ccc7618cf17e2c9b92743b97fbf394277a7c17c58ebb3d942aa0a0fd | 0 | 0 |
| ADCS Certificate Template Configuration Vulnerability | Orlinum , BlueDefenZer | Sigma Integrated Rule Set (GitHub) | 6d83e2c5d3c8dd6baf3897d1fcfef08e8e7745f60a8712ff35acc679d26b2db6 | 0 | 0 |
| ADCS Certificate Template Configuration Vulnerability with Risky EKU | Orlinum , BlueDefenZer | Sigma Integrated Rule Set (GitHub) | 145c680f84c610717ce0f64126642e2075071657c6b04077e58c08042f45b3dd | 0 | 0 |
| ADFS Database Named Pipe Connection By Uncommon Tool | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 4066789e2f52a62b211079b31d3fecc622acde6f0aab1c5127584333f498102c | 0 | 0 |
| ADSI-Cache File Creation By Uncommon Tool | xknow @xknow_infosec, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 39b6e2d47cbb2139a0b088fb0f338071749fe923d01346e457f7ba2b0371e1b5 | 0 | 0 |
| ADSelfService Exploitation | Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | adb52649fba655a7c618328f8a47138b0829cd7ee3ff23c599542d6103b29a92 | 0 | 0 |
| AKO Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bb075da0c850b7587ce9434aef02a948171b3545ebd0914125d7f5fe4fa590dd | 0 | 0 |
| APT 37 | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2c9099b138fc55d5fdb1dce07ff366a656ee06b6ff8dd57d238ce00e61809e4e | 0 | 0 |
| APT PRIVATELOG Image Load Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 396dd003148797c25c2cb63e8f2c6e0b3973ed37675f9c214f6a40a269c94131 | 0 | 0 |
| APT User Agent | Florian Roth (Nextron Systems), Markus Neis | Sigma Integrated Rule Set (GitHub) | e2b73603c9441b256be9bab1ccd758407a6d6470859f0f6cb838ff2eadc08006 | 0 | 0 |
| APT29 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e | 0 | 0 |
| APT29 2018 Phishing Campaign CommandLine Indicators | Florian Roth (Nextron Systems), @41thexplorer | Sigma Integrated Rule Set (GitHub) | 8f2c777b3dc85aa4c4663fc4de3a1d8bd273ea3506fd8481a76de1a0ffb2c6b4 | 0 | 0 |
| APT29 2018 Phishing Campaign File Indicators | @41thexplorer | Sigma Integrated Rule Set (GitHub) | 120841a228484caff2f660319625b672d8b268d649f0522d99d2a59c6c60f3b3 | 0 | 0 |
| APT29 Google Update Service Install | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a | 0 | 0 |
| APT29 Google Update Service Install | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | e6247b8fe178e47b7e98f318da90608dc7aaf94fa99fe8e933f0a05b6498bdb4 | 0 | 0 |
| APT31 Judgement Panda Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 79e0e41a4f427cdb7337c02f6d2bf2f18272a145bf619561b749dc623133dc88 | 0 | 0 |
| APT40 Dropbox Tool User Agent | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 572ac9027db60bae5654b7a9bc5d58e315db0810b08d8142c6db54f5e9e7ed24 | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 1d0bd876f993864d8a65e33ce45e152f3e49063e858a74169b77923d673483a8 | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 3f84ecf411a71bd8d115a14303c8eac0baf1a7d57c27f81e99c78b2bff51f3c5 | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | a84e26c881c97617cb1fd0ca767f6c6a6aef9dc2b22b7c5346b71449a2bb5bbc | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | d51a28a580a981a8c30c17c8985ac1d2bb9187f6dd4a55cf24b6f0c4cfc4c1f4 | 0 | 0 |
| AWS Attached Malicious Lambda Layer | Austin Songer | Sigma Integrated Rule Set (GitHub) | 0650616005d1cf25b22be420f69ef9f6271137f0d29697a56f3346877ffd37f8 | 0 | 0 |
| AWS CloudTrail Important Change | vitaliy0x1 | Sigma Integrated Rule Set (GitHub) | 4ef2dc5f6a20a823034706154832eb2b6caacbdd7526d5f72b41b87b661c18b9 | 0 | 0 |
| AWS Config Disabling Channel/Recorder | vitaliy0x1 | Sigma Integrated Rule Set (GitHub) | 1ca012603accfb34b464b1a408012216374690743be9979de051b99b95859e64 | 0 | 0 |
| AWS Console GetSigninToken Potential Abuse | Chester Le Bron (@123Le_Bron) | Sigma Integrated Rule Set (GitHub) | 09f310f17532829d1465eabe4b36307020b5ece377e1b1783403c036fc148722 | 0 | 0 |
| AWS EC2 Disable EBS Encryption | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 7cc31b5a6e3bb9dfe917930e9cff98c24e1477f39b93c17de733f572469e6746 | 0 | 0 |
| AWS EC2 Download Userdata | faloker | Sigma Integrated Rule Set (GitHub) | 52870d4d2756b6f3dde8066072d0df3fffc2208a2f13a11ad8dda6663fc6c12d | 0 | 0 |
| AWS EC2 Startup Shell Script Change | faloker | Sigma Integrated Rule Set (GitHub) | 839d04c92bee18b43af5b78244d9a121efb5f27e4eebc842ae6c62a6c9e4b4f3 | 0 | 0 |
| AWS EC2 VM Export Failure | Diogo Braz | Sigma Integrated Rule Set (GitHub) | 510922d4a963b58fd4765ade7ccec8ec0d323813387711be4acd2577afcd50d5 | 0 | 0 |
| AWS ECS Task Definition That Queries The Credential Endpoint | Darin Smith | Sigma Integrated Rule Set (GitHub) | fc4d896380c961454c0e4e2298b4b42f7da55011348cdbec3ff9a56ba169b7a0 | 0 | 0 |
| AWS EFS Fileshare Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 320cb5ec91c7d2c86ae27ee1a995b6a6fad692c4dd4716db1bddc009cef68f24 | 0 | 0 |
| AWS EFS Fileshare Mount Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 557ffbb2dc96ead10718f0ce8e23abbd4520126cb5eb85b94b8f3d19e7ff6442 | 0 | 0 |
| AWS EKS Cluster Created or Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | 633e9cc212d624837b46fa0381b5cb0f70e8a41bb219ae76550b862d16340cc1 | 0 | 0 |
| AWS ElastiCache Security Group Created | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 82c9482509e59596843bf9c369a8a818e8248c0b8cd43217762ccd4546d5471e | 0 | 0 |
| AWS ElastiCache Security Group Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 886c07a825a6d3bd1d71d9238ecd1c47fe341acccd997dfca9df6d55d0ce1924 | 0 | 0 |
| AWS Glue Development Endpoint Activity | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 535cda9e5250683c27341783e572cb03b5946e3a3930ed6e7ec71fb51411adc6 | 0 | 0 |
| AWS GuardDuty Important Change | faloker | Sigma Integrated Rule Set (GitHub) | 315526975358ad2d0fa1b5c44442eda68a1a8a523b0c894de935ec21708b66ab | 0 | 0 |
| AWS IAM Backdoor Users Keys | faloker | Sigma Integrated Rule Set (GitHub) | 8ccb5db92041ee60e6fab70bedfd8e59fb916edc1226612863ffd244a78e453d | 0 | 0 |
| AWS IAM S3Browser LoginProfile Creation | daniel.bohannon@permiso.io (@danielhbohannon) | Sigma Integrated Rule Set (GitHub) | 437d0bc43652ceda0aa87573bbb94c3a919d6866b644ea5935d46f515145fc48 | 0 | 0 |
| AWS IAM S3Browser Templated S3 Bucket Policy Creation | daniel.bohannon@permiso.io (@danielhbohannon) | Sigma Integrated Rule Set (GitHub) | 7049949eb6250edfdaff9c6f6f75c3553d4b1881214da41a939e993bd88d9f2e | 0 | 0 |
| AWS IAM S3Browser User or AccessKey Creation | daniel.bohannon@permiso.io (@danielhbohannon) | Sigma Integrated Rule Set (GitHub) | 5db3d37986abefcf6bf627dfa9d9830a3ac1571749b330980a8124cb7f10ab81 | 0 | 0 |
| AWS Identity Center Identity Provider Change | Michael McIntyre @wtfender | Sigma Integrated Rule Set (GitHub) | dccc6f68a8c5bf874a96b9f05101b5b2d8dd8c2a7c433bfdc35d5e347da2d64b | 0 | 0 |
| AWS Lambda Function Created or Invoked | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 3bf7f1b2fd7fe897356a4416891664478c352bcff4a562abbb4e29d59be58cad | 0 | 0 |
| AWS Macie Evasion | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 2caf12ef20a741df57dbd3af15b2018c587c7143520a8c077a4fb25e6dd8d75e | 0 | 0 |
| AWS RDS Master Password Change | faloker | Sigma Integrated Rule Set (GitHub) | 5ce71a8dd2051186eb3bc827687f0161dcd856a3aa78737ffc610f6040d4166c | 0 | 0 |
| AWS Root Credentials | vitaliy0x1 | Sigma Integrated Rule Set (GitHub) | 9a3dad9567f385fd12f06417761f939eaf3bc223c50daac4c997e6f50f690b0c | 0 | 0 |
| AWS Route 53 Domain Transfer Lock Disabled | Elastic, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 91af3f000e86d4d90b8e282d15d62993f5d5ca87f5375dee075988c20a572c22 | 0 | 0 |
| AWS Route 53 Domain Transferred to Another Account | Elastic, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 79dd906114c4b150b65cf759c1c0d1d83d74766afc2feb337b08ee12e340a013 | 0 | 0 |
| AWS S3 Bucket Versioning Disable | Sean Johnstone | Unit 42 | Sigma Integrated Rule Set (GitHub) | 3cc53b253ecc68b55a375ab2fbac3f07dbdfab032ee9f12b7c3083e5969872bc | 0 | 0 |
| AWS S3 Data Management Tampering | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 14d9fe2befc885c1ed6ef46a55bc25f96407917c2385e324b8515b53a65d4b36 | 0 | 0 |
| AWS STS AssumeRole Misuse | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ab071ff54304ef514871c1e84cc731ded005fa0ccda3b66616554a41d88efa5e | 0 | 0 |
| AWS STS GetSessionToken Misuse | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 6994df5208389be2d74373903274ef547c51d5eed02015e25e143b1932795aef | 0 | 0 |
| AWS SecurityHub Findings Evasion | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 4e8ffcd6780ba56d1f2fa59f77317ebf859a2bf43c4be7719f81b9e03dd5c83d | 0 | 0 |
| AWS Snapshot Backup Exfiltration | Darin Smith | Sigma Integrated Rule Set (GitHub) | 5a500ea597b28e994e29f0847cdbe9dc1abe44d081a8453bbb371eec0bb74180 | 0 | 0 |
| AWS Suspicious SAML Activity | Austin Songer | Sigma Integrated Rule Set (GitHub) | 173a650247a0aa08e4f7d1fbb1ab2154526c9f23e45d9bbfaab1313385bc23ac | 0 | 0 |
| AWS User Login Profile Was Modified | toffeebr33k | Sigma Integrated Rule Set (GitHub) | 943930b25869dfad30c94e1eec864e899816b0d8b783767e1940cd6e0138d53c | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | 1ed460e3d1d675508d6550ae97b5b02fb7d2a41633cf104dd13ec5e3898fb4d8 | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | 3f23a6c297c45d5a9d63d790d48c7f197bedbf2e2a62d28b67dec7a5a79e3196 | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | aa47fee25ec87cbc15062b8d3f7e0acb8e38a64de307365aeec8cfbe02f12c8e | 0 | 0 |
| Abuse of Service Permissions to Hide Services Via Set-Service | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 44099719049070f990e032a6707550adf96a4eb8cdfdb10f3f37381678c18ccd | 0 | 0 |
| Abuse of Service Permissions to Hide Services Via Set-Service - PS | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | de5075c9666beb50edc776fa77e0615b1a9eee5a4ca639b4f9dadfa59d3ff764 | 0 | 0 |
| Abusing Azure Browser SSO | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 3a3618c16315d61e28176798a3bb0420bd03a4732de42920b67e1c038effc0cc | 0 | 0 |
| Abusing Print Executable | Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | f96e4beae00ea6ddb52dd039e1527892e6c52cdc577988ec8e7730fd3b4cd9a7 | 0 | 0 |
| Abusing Windows Telemetry For Persistence | Sreeman | Sigma Integrated Rule Set (GitHub) | 215ab0e3f729db474131b73eb9950bd1decd0ab51c4d221a489c48004d3684e0 | 0 | 0 |
| Abusing Windows Telemetry For Persistence | Sreeman | Sigma Integrated Rule Set (GitHub) | 37508447092b61198dba6c2077887c7bd32c0396716095cb8e25593a16b30929 | 0 | 0 |
| Abusing Windows Telemetry For Persistence - Registry | Sreeman | Sigma Integrated Rule Set (GitHub) | 29f4b4ab96f93520895ca3d47ccf106f5a6fecadf74906d79a302829883cd114 | 0 | 0 |
| Abusing Windows telemetry CompatTelRunner.exe(Audit Rule) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 879510fbd52dc559762564e9dcee6b800c7ebe8846c237911775cf3f6d8d3cd9 | 0 | 0 |
| Abusing Windows telemetry CompatTelRunner.exe(Sysmon Behavior) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 18fa931666e2ae680fb1e0dcec0ba06dadd31ca6b52d9c619bb42fca8b7d7048 | 0 | 0 |
| Access To ADMIN$ Network Share | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9b8b6fde8104ca3626c27c746a6e6e07d3f8c89905e685f9a05cb5f6f4edc379 | 0 | 0 |
| Access To Potentially Sensitive Sysvol Files By Uncommon Application | frack113 | Sigma Integrated Rule Set (GitHub) | b38d0b5e0083ed5d0257c1cdbbbeb87d20d542cbfae2fd1c6f21a4fc2f16a035 | 0 | 0 |
| Accessing Encrypted Credentials from Google Chrome Login Database | frack113 | Sigma Integrated Rule Set (GitHub) | 51e8e5e690970ad68d784525926120f9a5afde96ebd20253e92cea0d07d54399 | 0 | 0 |
| Accessing WinAPI in PowerShell for Credentials Dumping | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | a683beca7674cad333d64a1ffe5ac971414b265f15a99e2f9d2c7ff967cc2fe2 | 0 | 0 |
| Account Created And Deleted Within A Close Time Frame | Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton | Sigma Integrated Rule Set (GitHub) | 2a8a66e18503e4b2c237bf255508bf585dcac87a732728cbbcd511bdd1ff7358 | 0 | 0 |
| Account Disabled or Blocked for Sign in Attempts | Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 82398e3143a953cf8bf5e000c262201372c12f810b17f62d62c997beddd83dff | 0 | 0 |
| Account Enumeration on AWS | toffeebr33k | Sigma Integrated Rule Set (GitHub) | c2d1da71047d12f3e9e82a9b10ae31b7f37c8a89483a537c7049c6f83abd4cb0 | 0 | 0 |
| Account Lockout | AlertIQ | Sigma Integrated Rule Set (GitHub) | 1fe55c2a4747185813415dd5f4e3e497c4f1fc14e546ea9fe496f104438a0870 | 0 | 0 |
| Account Tampering - Suspicious Failed Logon Reasons | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5589ef9f2fa4b4fc38d9e2634cb65b59cc829a86599e808fda10586d97094d5b | 0 | 0 |
| AcidBox Activity | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 7036d84b791069d70f9a381859bbfdaf7d37a698a47948b343a49a64ab652cce | 0 | 0 |
| Active Directory Certificate Services Denied Certificate Enrollment Request | @SerkinValery | Sigma Integrated Rule Set (GitHub) | 7cd952b012e16e337e58b561bc42a1bbc8df8fa5d5ae9545ea7da49588d5a227 | 0 | 0 |
| Active Directory Kerberos DLL Loaded Via Office Application | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | a2eee7390841d2713ce09ab45175d989688027fe2141938274b88a1dfe11b75c | 0 | 0 |
| Active Directory Replication from Non Machine Account | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | db12e3072dac7d4a4e8f67282fbba19b12ef761b40ea26359caeec8051cefcd2 | 0 | 0 |
| Active Directory Structure Export Via Csvde.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 695199c448d3b12a58e3752401bf07e8b2e547d6efe0e6149ba8d32748ca9966 | 0 | 0 |
| Active Directory Structure Export Via Ldifde.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1c98f725d32ca2cd92f710aa97272bf68fc96ad54e57d2d1ca4444e8c95bc7cd | 0 | 0 |
| Active Directory User Backdoors | @neu5ron | Sigma Integrated Rule Set (GitHub) | b0cd1653d4d8f0519ad99bcf040b2db9dd835f2df6daa9087c3e4e0a13beb319 | 0 | 0 |
| Activity From Anonymous IP Address | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 4b5953885124610db6a2753fe567794515d46b1a767d821523e7f64e2dabb37e | 0 | 0 |
| Activity Performed by Terminated User | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 02b84310ae0b2a94f86e5369d7ec39f1a701aed32bc6728b909b446f929745c1 | 0 | 0 |
| Activity Related to NTDS.dit Domain Hash Retrieval | Florian Roth, Michael Haag | Sigma Integrated Rule Set (GitHub) | 36868991a76ff137e30dea5f77cced4da2254db444c41aa5f83cc7ba6b8fed48 | 0 | 0 |
| Activity from Anonymous IP Addresses | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | efecf6d62b61312f886723f752a5c2ee5188a1bac0ee585294f03e08291d66b8 | 0 | 0 |
| Activity from Infrequent Country | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | b9be4401ecfc9259f3e9b16e77573b0abed2cf0df93e746abce40e64e7cea7d4 | 0 | 0 |
| Activity from Suspicious IP Addresses | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | c020af8eea2544a4fee04ed5143d696c1224c429b3a7871cc87b00b8d5c6cc8f | 0 | 0 |
| Add Debugger Entry To AeDebug For Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4d9fecbabddea65e4e2c196b0377faa0c800a01ae4b90d37503e8e59aca0844c | 0 | 0 |
| Add Debugger Entry To Hangs Key For Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4efb3c3203a4753b90d62be615436fbd2c115d65169098494cb312184a25c564 | 0 | 0 |
| Add Insecure Download Source To Winget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 69a1d86d6744047fb3da5e8d6658a659166715e107e7410172091d94fa935e4e | 0 | 0 |
| Add New Download Source To Winget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4e66bd1dd5fee57f4ffe2ecf83a8243471e8dda3f75ccc5321ecf5e8bd5497d5 | 0 | 0 |
| Add Potential Suspicious New Download Source To Winget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2c1d246414b6774711179081e13ab823b6631ddb09a24e701d4c5878e6c8e37b | 0 | 0 |
| Add or Remove Computer from DC | frack113 | Sigma Integrated Rule Set (GitHub) | 03210cc4570a84f3b468c8ee247567289fab5fdb4708b2818749e054268a37ae | 0 | 0 |
| Added Credentials to Existing Application | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 76dbf85ce46cb957c64f0c64aec7bdf0c8e0a69603d808ac7f3607c24dbe7616 | 0 | 0 |
| Added Owner To Application | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 10d9f80cd3b66a46c4b6914ee1f2de614ca2643c9c8d42baa1215bd4b6cdf58f | 0 | 0 |
| Addition of SID History to Active Directory Object | Thomas Patzke, @atc_project (improvements) | Sigma Integrated Rule Set (GitHub) | d755877a01e9e73bfd7efde3363de1b7976022aad16110c5a4b2995a9f8604f2 | 0 | 0 |
| Admin User Remote Logon | juju4 | Sigma Integrated Rule Set (GitHub) | ba345e8f98204602e6652f9d41bec21ffed8e55fe558a98315201eec3993eefe | 0 | 0 |
| Advanced IP Scanner | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 1e081f4ac10fa7ca5c1322255b4569d35b221c6b54e93ab5bd06bd891b690755 | 0 | 0 |
| Advanced IP Scanner | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 5fbf642a60f85b04f337ffeb9e377bf01fbe1ca8b9325ead915068bbec2ec06c | 0 | 0 |
| Advanced IP Scanner | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 654d8ac633b50e98138bcb448019dd2fcb8c0384ae47263728f8b4fd84b8ba98 | 0 | 0 |
| Advanced IP Scanner - File Event | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 946d2bbdd10c544f6435f9b58d066f0d418f7bf78478848e179abdd8b5ec19b8 | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 29d8efa02d53ac611d0b491bedaddbcd34e06668c553dd702b761afceca6d91c | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 40b38a30ad910fcc157b48f5890f35898cc92ae17559bda1764e434dfc37c1d4 | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 6b74b152297fb45850c046a229ca64920ee9d973e33fdb61c3954a849baa882e | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 9a837c56dc81ffe30b3cbb46efbb5eaef5933b049b212514e9bb4380f12623c0 | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | e1d3ef681f53390850fb5bcd89f8d9388eebce85673fe6b8f766bd596275003d | 0 | 0 |
| Adwind RAT / JRAT - Registry | Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 2430fe9fd6e24946c8534bace62f59a139bd0871a15e594408a81134d905d1c3 | 0 | 0 |
| AeDebugProtected Reg Key Persistance | Den Iuzvyk | SOC Prime Threat Detection Marketplace | a3febaea6fa1eefc8642f7d848d0b2d4f2b70c0359fa395d9e8ee921c218b36d | 0 | 0 |
| AgentExecutor PowerShell Execution | Nasreddine Bencherchali (Nextron Systems), memory-shards | Sigma Integrated Rule Set (GitHub) | bdfecd34e78aae683a75a4a2ea4412bf84cb14ba9fb9fac298724228723ad016 | 0 | 0 |
| All Rules Have Been Deleted From The Windows Firewall Configuration | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | de3c3a1f1f885a99189003961c40507ff50155075f1847683580c0391eca48c6 | 0 | 0 |
| Alternate PowerShell Hosts | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 66d3c05927db71e9d8760c5353ef8a161521b446c0b6cb8ea538a081d2d15e8f | 0 | 0 |
| Alternate PowerShell Hosts | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | b98a87132b8f25c1b28f308d62a1f37edb6a16c239e5d98a314a15853193b18c | 0 | 0 |
| Alternate PowerShell Hosts - Image | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 1ff53e9fd6749954464f3ac22171fc115796cbc09d5ac9331d6db4cad674287e | 0 | 0 |
| Alternate PowerShell Hosts Module Load | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 0b70b2266832f57d7fcd62d232b3b469d8788c9a97ee87dfac1147dbd08533a2 | 0 | 0 |
| Alternate PowerShell Hosts Pipe | Roberto Rodriguez @Cyb3rWard0g, Tim Shelton | Sigma Integrated Rule Set (GitHub) | ba100a757ed85b5b1b191f9aa12c8123ef59a9afd99c6cb8fdaeb4f7bd4e12fa | 0 | 0 |
| Amadey Botnet detection (TA505) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 472362d8dcad8c26a75836b16e7f1e1fa272f614affc2dd864632b8a3af7e12f | 0 | 0 |
| Amadey Botnet detection (TA505) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cec4465383805716c59e96f51fd252bb21a3cba08cb59dfe0e21d49eaaee228a | 0 | 0 |
| Amadey Botnet detection (TA505) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | dabd120c240b719397478da50d0bac817e3ab6b120221b5c78ba3d5e42143637 | 0 | 0 |
| Anomalous Token | Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | b846a74a031dddc8eb999ae718960dbdc1ebd083e2d74d1b3cb128e93732595c | 0 | 0 |
| Anomalous User Activity | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 64bd84282a8aeb94417f4f19c1ee558b99343dcbd297434cb6ea671307569a58 | 0 | 0 |
| Anonymous IP Address | Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 2caa74eef36a842c955ee17e24b80f472a4be38dcc379c3b068528ed8a23adc7 | 0 | 0 |
| Anonymous User Changed Machine Password | SOC Prime Team | SOC Prime Threat Detection Marketplace | 5262477d283c94c8a282e110700640abccc3d50d92a485af02adb2a0ed079358 | 0 | 0 |
| AntiVM | Joe Security | Joe Security Rule Set (GitHub) | 53c56007ae94680c26786bcd895d2087db975d72635c0646c8e0ee8b2ca6539b | 0 | 0 |
| Antivirus Exploitation Framework Detection | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | b74dd119e6b8a4b8160d85ec696dd1b8f9d9990a6eebdc5abee1ce10d635d8fa | 0 | 0 |
| Antivirus Hacktool Detection | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | c199a1ab724951efd7b45265fbdd55c15874411108f51d080ff79caf07509ed8 | 0 | 0 |
| Antivirus Password Dumper Detection | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 26728f84df236571280d6d8d3ec2ef0250723676cf344e0e4b29b397901037d5 | 0 | 0 |
| Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection | Sittikorn S, Nuttakorn T, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 22284a04af59d3dfb90caff89d34cb8f366f73553f1aa99101a46e88e4200b71 | 0 | 0 |
| Antivirus Ransomware Detection | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | 8d8c06ae6c280fb5c26f506a8eadadc666e6b8a4b115fb8c68decf1202868f19 | 0 | 0 |
| Antivirus Relevant File Paths Alerts | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | a3fdf9ece7053d2030dc642bd2eb70cd4c3a3e45f7939313db5d59ae6fec42db | 0 | 0 |
| Antivirus Web Shell Detection | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | 0abd8831aa5efdcfa40c619dadeb24d85fa74d097fa44e68d639accddb2a7e70 | 0 | 0 |
| Anydesk Remote Access Software Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a74b000fa65a105160edaf2cea082befdfd07389b3d81378fd43cd6abf3a94b0 | 0 | 0 |
| Apache Segmentation Fault | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 723a6621f9b140b510c7f46523b33c69c2beb3f9e824516e07e5bb83aa5b0d26 | 0 | 0 |
| Apache Spark Shell Command Injection - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 245d51be14a6aea8247e090ed8bccd7ff1343a69fe3e5ac425960f84c6c0d629 | 0 | 0 |
| Apache Spark Shell Command Injection - Weblogs | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6049b3cd09fadec41e58f1373307e089bec9fc104540bffcab8d389ffd26e28d | 0 | 0 |
| Apache Threading Error | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2210d9229d212ebd79a69712d72ae5590caccd7f8c47f91331c431e3394f87ce | 0 | 0 |
| App Granted Highly Privileged Permissions | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | f5c2edfa4568095138a74e6d1258f67aacbb769134e9dbb212870a4a8de09873 | 0 | 0 |
| App Granted Microsoft Permissions | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 2d29ecc9290d6afa03d733640acc3d0d220b0b393f7b2719ac33295f58c34e63 | 0 | 0 |
| App Granted Privileged Delegated Or App Permissions | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 959c26d059b6b1c8acebab85f72c99215eee0aa0897c32c96524377b6f90e88a | 0 | 0 |
| App Permissions Granted For Other APIs | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | a6bd215d292cb31faa9264f005c75200c428fc84f750306c85eb596505799c29 | 0 | 0 |
| App Role Added | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 7b9cf1b24ba10b85109a309c8ec31d9cc0cb3bd010d2ee2c99bdb301b4a482fb | 0 | 0 |
| AppX Package Installation Attempts Via AppInstaller.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 8c20386ca2239562a26b808135071390e3abe7434cb251781a4656b1b4cf71e6 | 0 | 0 |
| Application AppID Uri Configuration Changes | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 7bb4d1866297312fbaf22981a0884a00cd2b6cc0884294b995f8af22637b8c42 | 0 | 0 |
| Application URI Configuration Changes | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 602740da70d3ff3d4654b32be683dfb1b49ad03a45553e1380a03ee918bc32a5 | 0 | 0 |
| Application Uninstalled | frack113 | Sigma Integrated Rule Set (GitHub) | c82edf1cc13cd1fb147ab2b58854576c3cdaad0a6d5b8b4fecbf68a08a1e742a | 0 | 0 |
| Application Using Device Code Authentication Flow | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 226c91fcc62837d3f1c04764f19be2a014d6d398a9af8c46e6ff6ef2d28fa6f5 | 0 | 0 |
| Application Whitelisting Bypass via DLL Loaded by odbcconf.exe | Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | e7b216cf44265cf356b012760fb4e0a6e04289ad81a1fe180bdb6b75c59729a0 | 0 | 0 |
| Application Whitelisting Bypass via Dxcap.exe | Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 208e2a3b52a6d211e7c5b85a6b02a3d7b276c3d13e266917a5e033a43cc39d85 | 0 | 0 |
| Applications That Are Using ROPC Authentication Flow | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 4edddc78b121c570c0cc0b8f9f34fda448ae47381dc23fa34d0e92afb84b8c56 | 0 | 0 |
| Apt GTFOBin Abuse - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb264a5706df7ef97923f067f7e95a160f5ac20d0a2a45fdfd4358ea9601ac11 | 0 | 0 |
| Arbitrary Binary Execution Using GUP Utility | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3eb1798da734a1175f4064db9bcae87d8f1e0635b2a5bc95e9211a3604b8c76b | 0 | 0 |
| Arbitrary Command Execution Using WSL | oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4deaea65e083744047018aa4fd0ccf242ffa901cc82a5f427d710fbb717c213e | 0 | 0 |
| Arbitrary File Download Via GfxDownloadWrapper.EXE | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | b72d2ff1b4c8867cd160c5e82653d122b03a4c6bca9ade97373922682058cce1 | 0 | 0 |
| Arbitrary File Download Via MSEDGE_PROXY.EXE | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 4a4f3b3a6b4761824b12ff4add9777ca49194d21eec186fa40bc13197799e975 | 0 | 0 |
| Arbitrary File Download Via MSOHTMED.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 60d28276317f25fdc7fa0acce62da99237f387d5ab5624b5f0fb9a3311f144ed | 0 | 0 |
| Arbitrary MSI Download Via Devinit.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6c91ae4afec46136577c1773ed9b9e0de2efd87a7f856d642c840bcd7ecc1a2f | 0 | 0 |
| Arcadyan Router Exploitations | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 0274ce4cedfe4942275222ff262ad3bc4a6d9230e7d8aa753adaf19da3b08ebe | 0 | 0 |
| Artrta Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a460ea212cd93f867529a23e3064a9972f4e4b97bbba5f916b427016caaccd93 | 0 | 0 |
| Aruba Network Service Potential DLL Sideloading | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5179445d911d6fbb8c94da23454267597f95beaeaa0630fb25175609654f9df3 | 0 | 0 |
| Assembly DLL Creation Via AspNetCompiler | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 19fb2859f06a4a8b6bbf348964fa58bca94f9c43b17beea1cf95306eaf700cd4 | 0 | 0 |
| Atera Agent Installation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 25ae1d6038813be4c6c9dd482574522a1ec3ed0d01450b06b4673f94bef1aa71 | 0 | 0 |
| Atlassian Bitbucket Command Injection Via Archive API | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d886380a9f8a967bf006cabbc3bad64fdf82ea3450ec02b40bcc4c56ea33900 | 0 | 0 |
| Atlassian Confluence CVE-2022-26134 | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | da92610c4bf2acba31703944912a2d93f568fe02dea678aa4640ab4c80536cf3 | 0 | 0 |
| Atypical Travel | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | e792ba76039fc494b513ec5802928f949b5e7be8a39625fb6eab43b9cd6eb1c0 | 0 | 0 |
| Audio Capture | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | a4baf3681957e567a0dcabca982a74d6ef27a7f4371c330e743abb82201ce772 | 0 | 0 |
| Audio Capture via SoundRecorder | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 9d251711b5a07fe8fb5fa341d8312ddbf0fd1b878b4a2d04e5feebb9885f1067 | 0 | 0 |
| Audit CVE Event | Florian Roth (Nextron Systems), Zach Mathis | Sigma Integrated Rule Set (GitHub) | 0c184188e5202d857b8ad97911db2679f4da47c8ff9498e869e2794f4b017d77 | 0 | 0 |
| Audit Policy Tampering Via NT Resource Kit Auditpol | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a5d0ee315323a7612e8c53b5bbcba868cb9cf4a4b8ca2b5850b97eaf2c03f1e6 | 0 | 0 |
| Auditing Configuration Changes on Linux Host | Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 08bdc4ce556bc84980d5552bb3426a25d11cc00dfa1d2ca4e727b609ad595cb6 | 0 | 0 |
| Authentications To Important Apps Using Single Factor Authentication | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | ab5210813ff4cfde3cc40f087e36f3bb3bf91424a6843fc7c43981fdd0d43638 | 0 | 0 |
| Azorult and XMRigCC behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 312ca94426dbc718ff09f09e6a43b898190a0aaf80ccbf8bbc1faeab30a2381d | 0 | 0 |
| Azorult and XMRigCC behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 384c8a60fa80b800ebd740d52e56ddada550877252c4a1c54b09045cbd667d20 | 0 | 0 |
| Azorult and XMRigCC behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | eb88bdebe1990354c146b84c3335fe5d42136e63848540b27845073f1f61fd4d | 0 | 0 |
| Azure AD Account Credential Leaked | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 9cda8f933f8bc9632d3fa51658a20896b9a602d8b05e8da67dbb407053aad8fb | 0 | 0 |
| Azure AD Health Monitoring Agent Registry Keys Access | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 3bfeb8cfe94b16cd5b7f3c96024b95509404dee7b48144b2af8aa5ce4779de13 | 0 | 0 |
| Azure AD Health Service Agents Registry Keys Access | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | bbe20978cff2db9667ec877573b1107ee982ff6d743fa80d3cbf2b74771a384a | 0 | 0 |
| Azure AD Only Single Factor Authentication Required | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | 6ec6f440b21637b3be0f9f60a20e5f6fe64fbe1d64418abc56449a7f4b56c642 | 0 | 0 |
| Azure AD Threat Intelligence | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | b1484637bfce10d9b44b0b61a9a4badb20c3afda6671147541216b01dd841cb9 | 0 | 0 |
| Azure Active Directory Hybrid Health AD FS New Server | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 74b3585358a705f41a3c47ca255f4fdf226f80d67efcd8180692d9830cb0cddc | 0 | 0 |
| Azure Active Directory Hybrid Health AD FS Service Delete | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 79b78dee5286fabf9074e377bf3ad75038d8b8d9a5087f439b47b5c962e9a221 | 0 | 0 |
| Azure Application Credential Modified | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8249fead423c34843b4256f38229856595e4938b344740799a977671a8721be9 | 0 | 0 |
| Azure Application Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 2ca197a0660bd80fe905e4ca00acc28acc9704a89ac7f82e3b3f99f91c2277bc | 0 | 0 |
| Azure Application Gateway Modified or Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | 99cfccf0f7621c216ab9a6e574118c7d08bd147ed24fdfc923c1bef27869dd2e | 0 | 0 |
| Azure Application Security Group Modified or Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | fee924d31493870a0e467e4c218281258f926382c4aed996e8c0ead7b0ffd1a1 | 0 | 0 |
| Azure Container Registry Created or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | a50193cebf131589afa2e4c5caf4bd66397e7f3e21a007d2dceb8a4a87b50ef2 | 0 | 0 |
| Azure DNS Zone Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 43efaace741bf5e0b6dd18d8ac4cb9c2541ae1076b512e1bd743a3064a1e6bd6 | 0 | 0 |
| Azure Device No Longer Managed or Compliant | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | c81341f9f6cd4cd0b87566645bb2e5b8bcbf96eb3f70ff9b56ee3abf4854e84d | 0 | 0 |
| Azure Device or Configuration Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 96deb162e4d7078c4d37c8e9299cd36a06bd4e7851a6667dbf6d26a2c982d28e | 0 | 0 |
| Azure Domain Federation Settings Modified | Austin Songer | Sigma Integrated Rule Set (GitHub) | cbd7365e52f94f02a513846714617391f68f6912003a2eb9a0bbacf128259b5b | 0 | 0 |
| Azure Firewall Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | d45698a63ac241254c2e58e006dd45b43f164ffe1d0a192e9e4bfb69fd4d0a70 | 0 | 0 |
| Azure Firewall Rule Collection Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4e5d8654f38840ce7dfb65eccbb26e41cf2087dc48fd3290abc364e99ff6c223 | 0 | 0 |
| Azure Firewall Rule Configuration Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 1966c63d48e697e85ff918b12a3933601905b8e608c26a39ba40d0802843a0a7 | 0 | 0 |
| Azure Key Vault Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8277b5e14bd624d703568cc728cc7573300e7157c6085a669f3c467b2b2dc91f | 0 | 0 |
| Azure Keyvault Key Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 9cd4b711206e3c37197e34894fa230459f8f3973e55a8393632f7b4f394a0757 | 0 | 0 |
| Azure Keyvault Secrets Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ca76365114071335144bbd16aa1ff1702fba9628d9339290e6ad1ca4038485b0 | 0 | 0 |
| Azure Kubernetes Admission Controller | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 0f1f0dc48da97695cb6527b079cf0a309aa8c1f5330034f614fd18aa4a3a515d | 0 | 0 |
| Azure Kubernetes Cluster Created or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ad11168ee302b9e417ef34de10e853a070a2255f619a0f2e5ce8093efa4125ec | 0 | 0 |
| Azure Kubernetes CronJob | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 6f0756909a231b1de68feb41531a09f1b4aa980d4cb705216064bbf410c47f38 | 0 | 0 |
| Azure Kubernetes Events Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8d931927daa9fe944bfee3fe82c6723e2f8c8daab9a97f657c6b92eec3f60413 | 0 | 0 |
| Azure Kubernetes Network Policy Change | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | fa73bc2ee70f7f45ebea4039e72ecbf9d55585af7633d7dc5ee78175f740c847 | 0 | 0 |
| Azure Kubernetes Pods Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | e96da18a9f7bce0ba8dbf0ea74585858e37bdf438c3a3acf0e69ad4f611d8e00 | 0 | 0 |
| Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | dcf545836738f2f84a8fe309688d2565d5db60f2003e89935f9c884ebde8b2f3 | 0 | 0 |
| Azure Kubernetes Secret or Config Object Access | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | dcea1ea1d9ac39af65a5f28568f16c91f9dc4c647daea19dce016dd2466bdbd8 | 0 | 0 |
| Azure Kubernetes Sensitive Role Access | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 23e30fa444fae1b172748e6a76e829b2b5bc2d747c0c6d679f757fbdb036198b | 0 | 0 |
| Azure Kubernetes Service Account Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8a73631fa6f0fa5dff761b9c6c0a3ccf6a66f656636662418503f105d17d8993 | 0 | 0 |
| Azure Network Firewall Policy Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 9899c52490520e420876ad5de364f9f956e993c38bb2bf6e26f7afad6560eee9 | 0 | 0 |
| Azure Network Security Configuration Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | d91818569830303d0793ec9cdf27d592e581e957caa02141080927e8d4debd7d | 0 | 0 |
| Azure New CloudShell Created | Austin Songer | Sigma Integrated Rule Set (GitHub) | 168e1c35ae1332d1fde280357d55f94bc3fa72d5f623c5075dc9e95719b508e0 | 0 | 0 |
| Azure Owner Removed From Application or Service Principal | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | f497fa0952b0643d212e000f9beedfa0e38c340e126cc980759fd73aea3f074b | 0 | 0 |
| Azure Point-to-site VPN Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4fe122fb2f4694c438ef09c62c437757ffff5f2960a1d78aa757b6f0cdab3541 | 0 | 0 |
| Azure Service Principal Created | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8e656dbfb37b60d6fef29014993072a6b8341f80dbd9d2ac0901fc71eb99b51f | 0 | 0 |
| Azure Service Principal Removed | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ce41462e381c9c869284161db12adbbf2078003b7ce16266c923d3dc021e19a0 | 0 | 0 |
| Azure Subscription Permission Elevation Via ActivityLogs | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 5fc1781e8afc3e000022771fd6678ed7bca2e931810fbe088916375a89ca353c | 0 | 0 |
| Azure Subscription Permission Elevation Via AuditLogs | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | f1133baebe520b6bb3b6aa03c2a199e4297f5620463593d2698f7317285f40a5 | 0 | 0 |
| Azure Suppression Rule Created | Austin Songer | Sigma Integrated Rule Set (GitHub) | c024312538da26140188fc0c40fb6fdffd2ba7813aeb307a59b8a7a73953de52 | 0 | 0 |
| Azure Unusual Authentication Interruption | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | a2fbabf1ea8e4593cac5c7ebaa8163ce713e0ccc9f65c8c76fd6ac40c53ccab9 | 0 | 0 |
| Azure VPN Connection Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | e0af5f08fe2a083cdd976c7c926cdeee6d6099cf28085ad65013d5a1c9041186 | 0 | 0 |
| Azure Virtual Network Device Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | caa2f19474e04314ce3f38bdc4f01d4f9704a841377ea129171fc6d2ec5f08e0 | 0 | 0 |
| Azure Virtual Network Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | daf496c3dedf483941f3040398af3b052a54fea0d8f410a2407b7284ae613dd4 | 0 | 0 |
| BITS Transfer Job Download From Direct IP | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a494f742d330705777e5a96f912460606a8f2e2d14c3c3ff9bca30929187e494 | 0 | 0 |
| BITS Transfer Job Download From File Sharing Domains | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0d0f79e71de73c83c9e3ae928a91ccccbfa9b757e0826a629f68a3eb8cd0650 | 0 | 0 |
| BITS Transfer Job Download To Potential Suspicious Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 884ffa23512e6ebd77b6b249b9116f23f70d19d19433ab61ad18becb188413bc | 0 | 0 |
| BITS Transfer Job Downloading File Potential Suspicious Extension | frack113 | Sigma Integrated Rule Set (GitHub) | 07b062a873c1d9a27ed7c8b25d19df4ae39cb2bcae62b16c6c0b738e0e99e75a | 0 | 0 |
| BITS Transfer Job With Uncommon Or Suspicious Remote TLD | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 916d1dea4e8931fac50e75afcd2ff7c3c4eb8e68a32b9f83d9846a5baa1b41bb | 0 | 0 |
| BPFDoor Abnormal Process ID or Lock File Accessed | Rafal Piasecki | Sigma Integrated Rule Set (GitHub) | ad15a7ca794c1a80d655c5a8c8ce1bd98703b84bcbe58e085c057ad49c6377c9 | 0 | 0 |
| BPFtrace Unsafe Option Usage | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 14224ae90ba2bfd3b69a2ebda9756c88e99dccecb1580804850e6163e97657da | 0 | 0 |
| BackSwap Trojan detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e578b7532f350b30e9614eb1a524f8d25975960eeaa667becc98ac9cd99c42ee | 0 | 0 |
| Backup Catalog Deleted | Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) | Sigma Integrated Rule Set (GitHub) | db25081a26915f454c9f9fc4dd73865d15100f764005bd361a8ec9eecee428d3 | 0 | 0 |
| Backup Files Deleted | frack113 | Sigma Integrated Rule Set (GitHub) | f15234ba5cc4c709633e015e497cce2bab7cd6f91b488b8c04ecfd5651e68749 | 0 | 0 |
| Bad Opsec Powershell Code Artifacts | ok @securonix invrep_de, oscd.community | Sigma Integrated Rule Set (GitHub) | c5b3ab9b3a0221a66b1da487bf7bd851b4f9cf0a8e2b7b22e659e5fd42b40815 | 0 | 0 |
| Banload Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4c21f3c713476df5631f5741b8b322c195fdd1759bd4220138d6e4d100c43b59 | 0 | 0 |
| Banload Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cf78d5c37f3b09e94b3500edde1baaf99114e6503c98d1cedbf58f67f4e2b1de | 0 | 0 |
| Banload Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | df75fb5e2add2e6674d7b5df931eb3ea32c98e61f6fcc4cb9e981b99fab72c52 | 0 | 0 |
| Binary Padding - Linux | Igor Fits, oscd.community | Sigma Integrated Rule Set (GitHub) | 3fbac61acf4870c524599db45e1b2dfc09b3058a0096d5fb5b9f1cbc7cde4fee | 0 | 0 |
| Binary Proxy Execution Via Dotnet-Trace.EXE | Jimmy Bayne (@bohops) | Sigma Integrated Rule Set (GitHub) | c51bfffa36c59702837651ae2b749cfa0a0eefa6354f2183cd96c2ca6ebe57c4 | 0 | 0 |
| Bitbucket Audit Log Configuration Updated | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 61c9348095ebf5ff7625ff74dbde850df037d9a46df84ac9627b12f6bedb85d5 | 0 | 0 |
| Bitbucket Full Data Export Triggered | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 67c6db98ef2ff7fe735b9b8192be2b89786a47f612eba9e4b6418d54d0e11c96 | 0 | 0 |
| Bitbucket Global Permission Changed | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 5543e07c1bb6569086e69c3279d2d96bcf955250b783c0cd6db1e89148056973 | 0 | 0 |
| Bitbucket Global SSH Settings Changed | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 6293e5866f1c28cf8d4a6792303175d2f10a3085601bd83c10942bebfdca931c | 0 | 0 |
| Bitbucket Global Secret Scanning Rule Deleted | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 02a74ca160c2c562dcf2cfb4992cf13a25837760abc8501b496a68f565de0b6b | 0 | 0 |
| Bitbucket Project Secret Scanning Allowlist Added | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 58597d67250c84138fb5753f63e0f5bed18b2b273d5390c0f98ff1d3d698d7f5 | 0 | 0 |
| Bitbucket Secret Scanning Exempt Repository Added | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 0b9a4de8a4ed1e5d9763f57ec1859e0ad43c06ad52598642e870e936c3e8eb11 | 0 | 0 |
| Bitbucket Secret Scanning Rule Deleted | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 590a9d6a694e6ab2d76891d8386316e7b2b087d4bb6bb375a7ff67adc6108008 | 0 | 0 |
| Bitbucket Unauthorized Access To A Resource | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 89bf720db274aed10819cfb8d010ac38d06299f5f748bc7f1200f58afbe9e3a8 | 0 | 0 |
| Bitbucket Unauthorized Full Data Export Triggered | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | ddef89e07e9084f1ab4f1a31ab55d70c0a91e5ec3a1d456d1f6bae6589ae0c8f | 0 | 0 |
| Bitbucket User Details Export Attempt Detected | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 03d0e55a5e6b4785bf1b4d0edc4efdfa7dd236861552a254173ea087ce5ecfdd | 0 | 0 |
| Bitbucket User Login Failure | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | af30df46f984f2bc275184b7a59fdd467f08950571f58e6a531d5359adba484e | 0 | 0 |
| Bitbucket User Login Failure Via SSH | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | c885d714c97b87e0468d4fce9c8645f881a59e50052aeac31afaf434eaf102e0 | 0 | 0 |
| Bitbucket User Permissions Export Attempt | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 306d49ce32dc9aa9d68d8de966d78e31f46e981e5fd294161164e40b3923cf75 | 0 | 0 |
| Bitlocker Key Retrieval | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | 7b3b2c6da15ef5621daef26ebb3baabf8a365d507916d900ab1eb197769c414b | 0 | 0 |
| Bitsadmin to Uncommon IP Server Address | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5a7b58d1d0d85ecf23dadf094755b9ec6fb8f853ee15f4f3959216ad963771b6 | 0 | 0 |
| Bitsadmin to Uncommon TLD | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 2e6f9336c9aa7e0fb900844db203acd64f2e49c46053557f76e819509277e0b2 | 0 | 0 |
| Black Kingdom Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7b246ccd83dc04be953170d86f9c74b4e9d46071fbc612523b2b7b5564ea248e | 0 | 0 |
| BlackWater Malware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 39cd8a4762fefe23e71b4a9c925150241a4c887c22e6c33561f972f394454f55 | 0 | 0 |
| Blackout Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 85ed357648ddf115b4b4d1596a36cdf430f132c7262701da1960f5d9c685d48d | 0 | 0 |
| Blackout Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b5d26570d88e55e6f8513514b34cb8ae7122dfac66a407ee89e3136500fcec9b | 0 | 0 |
| Blackout Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e10ed3279956a72f0ea14fe2fcfa974f8619f90a357e53fe89511819a764c36f | 0 | 0 |
| Bladabindi backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | acbedd0b4dd2d93744542676c9afdfcf6f0f313229b26f137a2d979893bec5ff | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 0cb9e146271e0c9ad794c98863e0e6d9c6ca19471bfea205eee4a276fecbd69d | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 8f6a9e9bbcb601d1bc09093f383e8d8f1f7f09bf7d7e69843c14a7cd880ee0c1 | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | d0b6ca563c74d796de2ac3b8200508b7ea05a9ba9533d0d455ec1f717dd0b8d5 | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | f1ab359e7200763d0ebd605b4d6c074a821679006372360c1fef073501822e2b | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | f723401b33927cfc6f265fefe66ce2982144e1ddeb991a3b47302b70b730b91a | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | fb9f6bbd034578721056b64fb7a34b4e2726da17d1cbf5711dced3ab7cd005c7 | 0 | 0 |
| BlueSky Ransomware Artefacts | j4son | Sigma Integrated Rule Set (GitHub) | f3f5fa46032d8e0baf435978a8204bca73e3ef7d003898fc0f5dc6b2106c03e1 | 0 | 0 |
| Bpfdoor TCP Ports Redirect | Rafal Piasecki | Sigma Integrated Rule Set (GitHub) | e48afde2372557d77514edca83b126212c3f48b0bf0e38f4a35cf2ae0ed2af33 | 0 | 0 |
| Brute Force | Aleksandr Akhremchik, oscd.community | Sigma Integrated Rule Set (GitHub) | 4307719a67c4c9c1343c12fa7fbdb91107ce614a895545a9b2de04426298134a | 0 | 0 |
| Buer Loader (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6327206ca6b0ae94eb02e02c0eda55e26020672bad83ed8831fcdc84f2c0f3ff | 0 | 0 |
| Bulk Deletion Changes To Privileged Account Permissions | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 5f36d7e3b3bc9590aa6a129e7e3db4fb78f2245031d5a0111add67b2dc8371b5 | 0 | 0 |
| Bunitu Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3a8e7baeffec67b69220da8b8d25bcae45e047937d0f2f833052ef5ea532aa9a | 0 | 0 |
| CA Policy Removed by Non Approved Actor | Corissa Koopmans, '@corissalea' | Sigma Integrated Rule Set (GitHub) | 4b21e17c3224a50fbfa8db57e0c47405a95b42de6c2d13284a025f958c59cda8 | 0 | 0 |
| CA Policy Updated by Non Approved Actor | Corissa Koopmans, '@corissalea' | Sigma Integrated Rule Set (GitHub) | e97a3f03c9bdcda96062b2a4766cd34e555d12f3df4a36c6f2fd409dd05b29e9 | 0 | 0 |
| CARROTBAT Malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 793159445715fc7a8b862f94666ae175cf0a3f6ab66c76e3af31ac86638fa859 | 0 | 0 |
| CMSTP Execution | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | 65ffc0ddb80d953bb500276c61b57ba48cb45df5128bb8264ab47e7f48b2c9ec | 0 | 0 |
| CMSTP Execution | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | ba18b1afcbf41aa13fd2cd7dc8e323b09854c6f046b4a98d07c2ea5d751d7584 | 0 | 0 |
| CMSTP Execution | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | fcd2fd95fad355c5e2d783abef0cb21f5fcc96e6ed5e0637f465bb7e75cf9342 | 0 | 0 |
| CMSTP Execution Process Access | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | 87af8c0b574ec328882da2ed6ae28880f2577cf0bbe165ae6e19d50475c6d86a | 0 | 0 |
| COLDSTEEL Persistence Service Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0f33a99a4bfd94f2626c5a36f1f07ab980d38ccc751af58e924870e7bb930fd3 | 0 | 0 |
| COLDSTEEL RAT Anonymous User Process Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 337664ed0113473c3a169dba1240dcd89d78277044915db818c8400186a76bb8 | 0 | 0 |
| COLDSTEEL RAT Cleanup Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cb122336ed1da922ed4fde95962aad47095c1a45a1cb960241f097eafb6cc53c | 0 | 0 |
| COLDSTEEL RAT Service Persistence Execution | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7118b199279bae0adaeb91281a04660e60d9658520976461b1605e87fa5213e4 | 0 | 0 |
| COM Hijack via Sdclt | Omkar Gudhate | Sigma Integrated Rule Set (GitHub) | ab8743ded66b586929aa13e45ceb037d6d8b0070893c7f23eb993baabe393a9d | 0 | 0 |
| CSExec Service File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c568e6bb032adea6b3158106e565d4266246268d575976495b23fb0770e903b2 | 0 | 0 |
| CSExec Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bb100db874e4b53a1e43f49c1364d66fdd6660a9d6d901bc2e570295dc74ab9e | 0 | 0 |
| CVE-2010-5278 Exploitation Attempt | Subhash Popuri (@pbssubhash) | Sigma Integrated Rule Set (GitHub) | d934f98bfa1d3842f51f86448d12eaa5d7ae665d51986c839307e4494210607e | 0 | 0 |
| CVE-2020-0688 Exchange Exploitation via Web Log | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 00d02232ebab9d4ccdb763022a32fda3d58da65c29159ed6992ba07072196b09 | 0 | 0 |
| CVE-2020-0688 Exploitation Attempt | NVISO | Sigma Integrated Rule Set (GitHub) | 5bbc9c67b6f5cb0d9b567b095ac079935288aace38c952feeefe24cca8db2fbf | 0 | 0 |
| CVE-2020-0688 Exploitation via Eventlog | Florian Roth (Nextron Systems), wagga | Sigma Integrated Rule Set (GitHub) | b8583b9acaa360ecfe76d00ff9d352cbdf6d3107d975a243b3ffb45ea03c67e9 | 0 | 0 |
| CVE-2020-10148 SolarWinds Orion API Auth Bypass | Bhabesh Raj, Tim Shelton | Sigma Integrated Rule Set (GitHub) | b8a891b94f9eaba11d1c04c2500b004dcd5a7de6f8e0722ef3d08f910741c37e | 0 | 0 |
| CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry | EagleEye Team, Florian Roth (Nextron Systems), NVISO | Sigma Integrated Rule Set (GitHub) | 2855d4d044bf08f00f380efb88fbd76fba4f8199fdab66a8c7aaad6d63bbe63e | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 332d13dcb0a4e1a6c422484f6927e7408031f7270166ea37cf7f557c68ec5efa | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 5cf068578d60f0e62a85062e3f528e2e675df78e1d1b2324b93218b97404a4bd | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 241626240096e85dd40e071e886b505b28444c8f3af6df03ef5c13b9d9776cda | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | bd554d600bee5054372f731217934ed318c54147855183a261c54405ef43c54a | 0 | 0 |
| CVE-2020-5902 F5 BIG-IP Exploitation Attempt | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 28e45cf616425b3c243efdcab379f55c65b9c0717203ffc48f3c3f124c310ff5 | 0 | 0 |
| CVE-2021-1675 Print Spooler Exploitation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d7d444c9a70f46cddde00a1fd7df0120fbe71489ab597d307121ebaa8d8fabf6 | 0 | 0 |
| CVE-2021-1675 Print Spooler Exploitation Filename Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 873bf5dd3d347e031a1a45c3c7da75768415ed8da25fe6136b24881f29b6ba3b | 0 | 0 |
| CVE-2021-1675 Print Spooler Exploitation IPC Access | INIT_6 | Sigma Integrated Rule Set (GitHub) | f011655155a4809262d5b5b289c20c070c7a7dec29d95846c91f3e39396d8bcc | 0 | 0 |
| CVE-2021-21972 VSphere Exploitation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 2215493140650ea52f95acdf1c79355498c6a798bd8ab94a6943d450e765fd0c | 0 | 0 |
| CVE-2021-21978 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 82d6ddf5b00dd27b2c72d0ff170f126fdfad3155a287a936bd9d6075a8f8d944 | 0 | 0 |
| CVE-2021-26858 Exchange Exploitation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | bea74b1863b1262ffbfa6ffd29da720d86bdcd7ad6ea4a27a2da1c563fcb5093 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 236292ff7ca8a69ab14291cb8d62c04d3b02986279a40bf5a30c9345804f78bc | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 5d4f849169f7cbe8f891d2622b175e4a42e41f434ea0540e841504b3b7de6e41 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 908809e40074898d7b460586768c977b2a700582c38d0355eb3f7e823d8d2c59 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | ab3709539b01cbfabb623bf86f278fcfc6c5bb5e735e7b13392f184bd6bfbfc6 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | daa2b8c9a016f7a9553030afbe735cc198ea85e381594ee1f438d0c54496b152 | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits | Sittikorn S, frack113 | Sigma Integrated Rule Set (GitHub) | 3fc8cf89558a3ec50308aea72b7745ae0f219f9882cda378f1cbf0487a7a3e32 | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 70390bef07d59937cec0216e008ce815799b4c22a5e260a684ed6bfac4fdcd1c | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 9c20b726dcc3e2be564bb8c45c1c3372d7051d5cf3ff87aa65115c110cb62f4b | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum | Sittikorn S | Sigma Integrated Rule Set (GitHub) | a5aa00b412cd8e83e52f741ce80dafabe03f640d00ccf9f43a9c610344a8627c | 0 | 0 |
| CVE-2021-33766 Exchange ProxyToken Exploitation | Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8f5525eb13728c689fc0e016fae75537d736213235bcab835284983e3ec2e37a | 0 | 0 |
| CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit | Sittikorn S, Nuttakorn Tungpoonsup | Sigma Integrated Rule Set (GitHub) | 0c9b01c970160550c39d032237474fe010d45a8b283b53084a214bb65abf5fae | 0 | 0 |
| CVE-2021-41773 Exploitation Attempt | daffainfo, Florian Roth | Sigma Integrated Rule Set (GitHub) | 785c77adf74a5ac52d0c7c196fb79ad631311bdc96913b8d2e2b6f6486c36578 | 0 | 0 |
| CVE-2021-44077 POC Default Dropped File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ad3f26b92d2442c828898d8d576b108116639952e23e140655f058b6a03601b | 0 | 0 |
| CVE-2022-24527 Microsoft Connected Cache LPE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 39809f574bd56b1dea5fc43fa0766a4e242b3f02d25f4cc138a9d34f850e3927 | 0 | 0 |
| CVE-2022-31656 VMware Workspace ONE Access Auth Bypass | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1cf59ae9ff5a081bc97dec79c05c8f01b9f6ba7f71e907200e83ab7d5eec3e0e | 0 | 0 |
| CVE-2022-31659 VMware Workspace ONE Access RCE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bfae7dd5de2cc1be11a85762c9a4e9dcc75b72cc64c865a8c1aa30886b53cb3f | 0 | 0 |
| CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) | Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | c65a9f7bb1c6810bbd73ef2569d72d4452871449a56a7aaaa02c302c26e2069b | 0 | 0 |
| CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) | Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | 3c4affe1e3fa21a8c98b93400f7e9eeeefa91fb0deaed33aa493fbab0ee215fb | 0 | 0 |
| CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) | Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | 73411895e17be809dd1543e68baf5c76fcefcd7844b73e12ead59fc1b2f3c348 | 0 | 0 |
| CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) | Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | 2176265defbf794b0bf2f434645dccc47580e7c53e28e5d749070f689306eb4a | 0 | 0 |
| CVE-2023-23397 Exploitation Attempt | Robert Lee @quantum_cookie | Sigma Integrated Rule Set (GitHub) | d03d6ef87c35d045be74c0b4e83fdf1d82094e9e8e7dc4dd0b3a991e1183c794 | 0 | 0 |
| CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 133db4f9fc9443b0ad9758552390f1c8352cb4eb1be719e6ae0531ff7ba00794 | 0 | 0 |
| CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process | Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | 93c128b68ab2f43a2f27d357ed878d53c998552ed10a9b36e6ab28475c99ee1e | 0 | 0 |
| CVE-2023-40477 Potential Exploitation - .REV File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b5c032f705af923c7d0d8a333a943983b1113705bd56ead5babcac07085ac3d2 | 0 | 0 |
| CVE-2023-40477 Potential Exploitation - WinRAR Application Crash | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d8f75c668c412d2b5a8e5deac732edf8eaaaa165b5440f42162ea2f0b717d230 | 0 | 0 |
| CVE-2023-46747 Exploitation Activity - Proxy | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4210b5d3588a3457ef0fa219ba7edf5ef196664dbb73640a1bf5d298fd3034ec | 0 | 0 |
| CVE-2023-46747 Exploitation Activity - Webserver | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f53f844874207eb6e912e375d0e64ebab625c3d43d4296a31cfb284c37b2f92a | 0 | 0 |
| CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 631a85ef66371462b3eaec9f5da06aeeae03d03ba675c40a806bdc3d68b00852 | 0 | 0 |
| CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fc8da6a1bd2189b538895671fa22fe7a4537817f4e7cb0ecd5e1cd1a56fc2218 | 0 | 0 |
| CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy | Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) | Sigma Integrated Rule Set (GitHub) | f56bb706c65c30d14bc218379ad8de699420eb8bd94ebb042d3b49383c392e91 | 0 | 0 |
| CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver | Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) | Sigma Integrated Rule Set (GitHub) | 553efbd6a2312d925cb12bded16c4df8fa79c83257e8cba1b7a9e0e1f4319706 | 0 | 0 |
| CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d0efdd423541b3431540a0a6116518c58bf0f8547d8901a17042d8fac58d0d03 | 0 | 0 |
| CVE-2024-1708 - ScreenConnect Path Traversal Exploitation | Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress | Sigma Integrated Rule Set (GitHub) | db3e51b1207c4b046dd3a65dcdcbb325874f14773682a626e155375a91d43ac6 | 0 | 0 |
| CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security | Matt Anderson, Caleb Stewart, Huntress | Sigma Integrated Rule Set (GitHub) | 2010070f1cee6c38cb3431c0c5ab57a0eb0ec127ffeadbabf9e63ac8585c3a5e | 0 | 0 |
| CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation | Matt Anderson, Huntress | Sigma Integrated Rule Set (GitHub) | fde13561262fbb7353945757e98068e731bff65279c0e776243d247b5d925aaf | 0 | 0 |
| Capabilities Discovery - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c7d7a76816d1701b70058175cd64c9141dd713d3f50d5f0d656227b1e6b3b530 | 0 | 0 |
| Capture Credentials with Rpcping.exe | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 15be2ea21971f32bb037bc7f681259a4f9e1989cf78ab9a1dd5f8efe68cfcdbb | 0 | 0 |
| Cerber Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 064b8f335c5dad53244cfd14a7c51a8fd536dc8c86741bd6699e06ffdc7563a1 | 0 | 0 |
| Cerber Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 509dbbd043383b28efe214cbd5f61869746cda8dd2069a844d35af2ad5c12e71 | 0 | 0 |
| Certificate Exported From Local Certificate Store | Zach Mathis | Sigma Integrated Rule Set (GitHub) | 8c89cbee7e29ba90d3d255c084d1cd2d894d8554bc8c6a0e23f848fa0cedcc1e | 0 | 0 |
| Certificate Private Key Acquired | Zach Mathis | Sigma Integrated Rule Set (GitHub) | beec2af2d4d83b34085ae8f8046960cbe62957a2b2161262398ec726f4582d69 | 0 | 0 |
| Certificate Request Export to Exchange Webserver | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9ec2157972ed064f3fd9dc25d8dd71195ab84c7747a3c17923cb09230442d76b | 0 | 0 |
| Certificate Use With No Strong Mapping | @br4dy5 | Sigma Integrated Rule Set (GitHub) | d404389ca07bcefd99b150983136720d0ed2232c573c30f9f8ec97625a1725be | 0 | 0 |
| Certificate-Based Authentication Enabled | Harjot Shah Singh, '@cyb3rjy0t' | Sigma Integrated Rule Set (GitHub) | 9f5bd6d33912f186c287bd49a47c58dbb2988d00d6ca61e3ed71108ac738a959 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 1d13c62f756a81c5138fc3c57236cc1ec96910a5b90687e628170734dae53640 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 1f40062e963356a7f04535a0f3fb4eec269440ca226f367f7b8bab940022cac4 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 353ed25aa9f2dfe8e0a56f2a3321d579ce4e7e8d20563769e0f02ff01ac06c3a | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 4207cea59e80ca7ec1b55f3bd2cfae0e47398daf8485c73feabf38a1484ac532 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 5a93f630933a2040c4795df341b70fd08f3b7f1730c331cb6e025d13fe3d7d30 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | b1eb7ac5e07136335fc21860603d89c40eb6488824477f00827b6749b15c1217 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | fed33455c8438e9a672de5f0fc2f48651ff0449b0427f5747e2b98db25e3088f | 0 | 0 |
| Chafer Malware URL Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cadeba64d91814a5bec0863ecd58722639024a5eb3b5f8e1059bf7ac84765c9f | 0 | 0 |
| Change to Authentication Method | AlertIQ | Sigma Integrated Rule Set (GitHub) | b48b8735d4b0c36f6b4415f9561a541fe792f70783e40570d3558a3bdb50c550 | 0 | 0 |
| Changes To PIM Settings | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 94959dff01cdd28a250a85a42bf6d1f929fcad2d6921cf8ec73ad94b5f982fca | 0 | 0 |
| Changes to Device Registration Policy | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | c58894734cae6401122b9f113877703c228c29a8fa3e4e32c1441c985c927215 | 0 | 0 |
| Chopper Webshell Process Pattern | Florian Roth (Nextron Systems), MSTI (query) | Sigma Integrated Rule Set (GitHub) | f3eb453b2f9a52250e3b43746736f8c9e0f1cfe7cf56756a7301cc6d67045bd6 | 0 | 0 |
| Chromium Browser Headless Execution To Mockbin Like Site | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ab437fcb52c9fd0fc5d12b825d9c41f440bcebce6d6e68bf64b3c0fa8bfcb27f | 0 | 0 |
| Chthonic Banking Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5915609df8f0f33be9c7c82797ba777d92dff34c96c4483d76ea06e3a514454e | 0 | 0 |
| Chthonic Banking Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b4b70fd58934de4a756c315437db626d32720d43be443f75f71a2eb971673f69 | 0 | 0 |
| Chthonic Banking Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bb3d22a048ab0177787e51d23515065a6af77e3dad57b621b06f01af9fa36675 | 0 | 0 |
| Cisco ASA FTD Exploit CVE-2020-3452 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 58180314ba9a1b6fc6135d8a5452d7ec429cce39bb8a0ee05e19b8cf2240315e | 0 | 0 |
| Cisco BGP Authentication Failures | Tim Brown | Sigma Integrated Rule Set (GitHub) | c1c6460f01da4621d940943b027bb03ad82d2e169061a67ae8d8c857e5053d58 | 0 | 0 |
| Cisco Clear Logs | Austin Clark | Sigma Integrated Rule Set (GitHub) | f2d0601cc4bc2b37896ef81bb36379f95f6d6da0f54e5d298d76af6e9e34dfc6 | 0 | 0 |
| Cisco Collect Data | Austin Clark | Sigma Integrated Rule Set (GitHub) | 2c692110983c838f0baff38e18c9350ae3def6ff7afca5af55221519eed38387 | 0 | 0 |
| Cisco Crypto Commands | Austin Clark | Sigma Integrated Rule Set (GitHub) | c3f4d338f538ec307b874891bf2dbd5f3ab916918bdca04a2ed53da9cb5ba3d5 | 0 | 0 |
| Cisco Denial of Service | Austin Clark | Sigma Integrated Rule Set (GitHub) | c9b1080d16e9e0175fdcbb202f1842cefd864c57eaa6a64ff1c1b4d6a5e71ae4 | 0 | 0 |
| Cisco Disabling Logging | Austin Clark | Sigma Integrated Rule Set (GitHub) | caab8d24d82768943d8a9bc5bc8ec1de7d099ef18de8846a7a84c7a0c123ae9e | 0 | 0 |
| Cisco Discovery | Austin Clark | Sigma Integrated Rule Set (GitHub) | 922dd1761e6de8935b8deddf2c702455c9687e7ce9135ddc502be597a434ebf1 | 0 | 0 |
| Cisco Duo Successful MFA Authentication Via Bypass Code | Nikita Khalimonenkov | Sigma Integrated Rule Set (GitHub) | 1ebe0db305a0b6286eb9ad88d1675fc096f3fbcbb19b6354549bfad0bcf6c13f | 0 | 0 |
| Cisco File Deletion | Austin Clark | Sigma Integrated Rule Set (GitHub) | a81d06d9e233156764ebf91e560a8a01fdf1b044beeaaa400b065b5be267cbb0 | 0 | 0 |
| Cisco LDP Authentication Failures | Tim Brown | Sigma Integrated Rule Set (GitHub) | e25b710f3b1915a497274ca420eccf7ce816686420806bebb413fd621f516a4b | 0 | 0 |
| Cisco Local Accounts | Austin Clark | Sigma Integrated Rule Set (GitHub) | 066ace76e41c5e84ccb56804255ccf2d9c27332fc287e77151b9a6bd70f1d723 | 0 | 0 |
| Cisco Modify Configuration | Austin Clark | Sigma Integrated Rule Set (GitHub) | e1d658a7e96d34fae9c9489f15cc7e66d2d932e0902ae1d9b63e49f69008a557 | 0 | 0 |
| Cisco Show Commands Input | Austin Clark | Sigma Integrated Rule Set (GitHub) | 52e2f120bc6f6a2fdea0d88c7334e68be41c50e02ac50ad9447e3b97ccc8e8c8 | 0 | 0 |
| Cisco Sniffing | Austin Clark | Sigma Integrated Rule Set (GitHub) | 8acea30044d76f3304a28112da3f66be2f2b9d450a7cdd1784f9c45ad56191de | 0 | 0 |
| Cisco Stage Data | Austin Clark | Sigma Integrated Rule Set (GitHub) | 3ba27fda76b2e27f70c6f07a668f4d28b5903a7813afffa184749aeb9b961725 | 0 | 0 |
| Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afd8157e130ac5b1e85a83666d958d63adfa7ab570ebfbdcabdc1b7034b9f9c1 | 0 | 0 |
| Citrix Netscaler Attack CVE-2019-19781 | Arnim Rupp, Florian Roth | Sigma Integrated Rule Set (GitHub) | 98e0f69c0d080f1ab9346e1ebed9222049669b100a11bbaa8b110d9d96ad8828 | 0 | 0 |
| Clear PowerShell History | Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 860e5b755d1cea66957a1dad5567ffc45ea7e50f98c8c0958538a8507ec82f71 | 0 | 0 |
| Clear PowerShell History | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | Sigma Integrated Rule Set (GitHub)-dfba4ce1-e0ea-495f-986e-97140f31af2d | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 1f1ab8a0a3fe05dc5f6db77a733d09949a236725db888a8fc8999542edaa9d84 | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 4ffd878e89c72b4ceec82aae1b81d7e86116017e259d0f026184c047ac87f080 | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 550069c609adf898c0cd2425bccf7458002df9eda036de658988e3fc1c99025d | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | d2de6c91a552659c64031d52630045d58a65e9b7f816c23dffb75c531fe65479 | 0 | 0 |
| Cleartext Protocol Usage Via Netflow | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 5a34aa084745df161fe9743db142a1c40cb5ee3886200a67d6ad228a51483a8a | 0 | 0 |
| Clipboard Collection of Image Data with Xclip Tool | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | bba5d6f743a4d29df17318bea6702db4ec9ccad741bcfd230545482d2f75c48b | 0 | 0 |
| Clipboard Collection with Xclip Tool | Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 05e02a479959ef4e06411f4b132dbfbf2eff4ab9239d4732bc6b92c1762decc4 | 0 | 0 |
| Clipboard Collection with Xclip Tool - Auditd | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 5750f0c9e7a5b3d955a1de73bac6ad176f1d221bbe3b3a3c29db1eba3f280619 | 0 | 0 |
| Clipboard Data Collection Via OSAScript | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 9456883e215175e623eb73fc5dbb97051dd3a45173a64f1b6fdd7f0fe53870f2 | 0 | 0 |
| Cloudflared Tunnel Connections Cleanup | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 48787c99cfb6d0430c601a44d4594a6eafff633bca387f3be21825df6a8869d1 | 0 | 0 |
| Cloudflared Tunnel Execution | Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 143bb177d88746ae7cb80c574d4992f4ffef743521dc06124cbc5cfe61ff6a66 | 0 | 0 |
| CobaltStrike Malformed UAs in Malleable Profiles | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e4c423de550bfad9e2962081acef2175c6383ee5809f156deedc218690445bcc | 0 | 0 |
| CobaltStrike Malleable (OCSP) Profile | Markus Neis | Sigma Integrated Rule Set (GitHub) | acdef10f5ebf1c2a007b873f8340f11064f333ffafafbe6d5458758dfafd1a60 | 0 | 0 |
| CobaltStrike Malleable Amazon Browsing Traffic Profile | Markus Neis | Sigma Integrated Rule Set (GitHub) | 4c8dcd1969f5864da6d00d316324cc9c07906eb46dcd52cb5ef77dec09e5f886 | 0 | 0 |
| CobaltStrike Malleable OneDrive Browsing Traffic Profile | Markus Neis | Sigma Integrated Rule Set (GitHub) | e3debddaebc6a6805b6ecd204901a61dc7771baba667b06ae7259af94cbd15da | 0 | 0 |
| CobaltStrike Named Pipe | Florian Roth (Nextron Systems), Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | acc7e9be68d0e1ad85dc9aafc935bc08834e6cc9a7cc48742991e53d197a46af | 0 | 0 |
| CobaltStrike Named Pipe Pattern Regex | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 337224175c49faeb48d475b30549b027ea2f3c467baf9b22a069f35aebe5bd66 | 0 | 0 |
| CobaltStrike Named Pipe Patterns | Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 905fc9490af8169f526089d670a3608b44417c93f5ab5a80be4f4e507ea02668 | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | 07ed77ae45c45cd6dbde58702a9401f505bb4cd22daf19d09993a5c55b05ec21 | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | 52fb124d4388460bedaa284c35492d9da80a1d697d6610dcdcfa5dc688ad118b | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | bd6e98a1ffa061e8610929a967d533a5f85adf437c7f2694f4b79edcf04c254f | 0 | 0 |
| CobaltStrike Service Installations - Security | Florian Roth (Nextron Systems), Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | 1528f16fe86df1015680377eab269f8383ca863cc09a040605bbd624ab36512e | 0 | 0 |
| CobaltStrike Service Installations - System | Florian Roth (Nextron Systems), Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | d47c2221db7aa13e5c3645ca6ec5b315a643a4b9f5a9e50af5bece9e79885196 | 0 | 0 |
| CodeIntegrity - Blocked Driver Load With Revoked Certificate | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6a678b271d158987968faddcf4e07f864b2080c9ff19677921e776403be400e | 0 | 0 |
| CodeIntegrity - Blocked Image Load With Revoked Certificate | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 132ca6f5fb7e5a46d0c0ff1f9eb4c7f5419923db740bfc931f7bea2b278599ed | 0 | 0 |
| CodeIntegrity - Blocked Image/Driver Load For Policy Violation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e6e7ace9263c4389270ed38b7e0c29fbdc243a863684b3c39cbef17bd49812a1 | 0 | 0 |
| CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6a1d97c70e8413dd69f28f480801e5d69ebb97e686ae59b206de96febab6ba96 | 0 | 0 |
| CodeIntegrity - Revoked Image Loaded | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0385dc4cda443963e2dd06654558c402177adbe2b65508f91693ad23a1fd8dd3 | 0 | 0 |
| CodeIntegrity - Revoked Kernel Driver Loaded | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7bf35bc9eebe9bfe3139bcbf63ca7c974b3fefcd8b33954b32739e1a8f4781b7 | 0 | 0 |
| CodeIntegrity - Unmet Signing Level Requirements By File Under Validation | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 02c7efd9db64dc8e5d5e82d3bba880a3b1ab9e0fec19e15c668b9a63e1d58fb1 | 0 | 0 |
| CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 75251a9aae0ea977aee8b2377ffb016f60bd12ebffc44e85268a3eadae94e300 | 0 | 0 |
| ComRAT Network Communication | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f8b1e8439f6b16f86828128a05821dfc35b5cedac0b0ef9588c00d9a12d0ef31 | 0 | 0 |
| Common Port with Unusual Service | SOC Prime Team | SOC Prime Threat Detection Marketplace | 448567e1372cc2d57c61ba1258607614de4959656f08b0c769cc4a2d4b6adf6b | 0 | 0 |
| Communication To Ngrok Tunneling Service - Linux | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4923797d38f9e57931d4c2524c152b3df9355de308a97dccb63f2d0cfffc3461 | 0 | 0 |
| Compress Data and Lock With Password for Exfiltration With WINZIP | frack113 | Sigma Integrated Rule Set (GitHub) | b6ab11c7f95ec7eeb0c511d3c26533628fe403bbf4d5d8e13ba54958aa6899da | 0 | 0 |
| Computer Discovery And Export Via Get-ADComputer Cmdlet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ba0dcf90e36e7408825fbc2ef8c0738174fd31ac01bdf199a594035504753788 | 0 | 0 |
| Computer Password Change Via Ksetup.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b69c2b97209ab8f9dd58e3300058e91e7473df6ba78a0ad001451070d2f29b9 | 0 | 0 |
| Confluence Exploitation CVE-2019-3398 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 51b242528b12df33e19aef0d9c491da0899ee0c15706bd24fa1d8bbfdd0c0e20 | 0 | 0 |
| Container Image was Uploaded via Unusual Client. | Brandon Hart | SOC Prime Threat Detection Marketplace | 0b491699d6ca77a7ec742e9676c80395862b7093ff6ffbfb2aa1d4d22e32f84e | 0 | 0 |
| Container With A hostPath Mount Created | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | 23d90a8aef65da2283cf7fab07c5ef05711654bc8d459908f94c188505537b67 | 0 | 0 |
| Conti NTDS Exfiltration Command | Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0b3dd39a21682b0ad57453e8c2da509ea751696a9ed99cae7fb6658a7c77adde | 0 | 0 |
| Conti Volume Shadow Listing | Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 08ef6e8b498eef96cef9154fc59c951d935c3fc9b707146c4eca4567eaa5db9f | 0 | 0 |
| Copperhedge Malware (Hidden Cobra) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | aa72a19331c2c067f40e6e48ff853baac0a3d4a25566bc66809995fc42cf7cd8 | 0 | 0 |
| Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a292fe3208d4e527b02e65976d44d0f6cfe4c3966558ae97f2b6ab6403ffdb94 | 0 | 0 |
| Correct Execution of Nltest.exe | Arun Chauhan | Sigma Integrated Rule Set (GitHub) | f2418d4c95e6ea8c75c68ad4358af3fc47e78b7630289f9d13fe04dc688a039b | 0 | 0 |
| CrackMapExecWin | Markus Neis | Sigma Integrated Rule Set (GitHub) | 4937cb1804ae450d1760b136159503b4a353a27a37e6b66253c12834ae1fa611 | 0 | 0 |
| CreateDump Process Dump | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 687da476fe7fa5f062fed8f4a4daf9774c0ac4734d817bf428d2c8de23a0b15f | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9ba3182e2ff92ecee64624cd2f1f24935f5ebeb42a5e6530cad6ea428e2941ea | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | b0407739067c1a391ad55a8b30a1c8109e9239a36d94cf389a4f842a53e36f73 | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | b66ace0358aa3fe35f98b7d2f726aab76956778883e2fd65cbc867bae21e360a | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | db9bea11b648e60a727a16af04702fe0746657460d47aa50814a4f7999f58cb6 | 0 | 0 |
| Creation Of An User Account | Marie Euler, Pawel Mazur | Sigma Integrated Rule Set (GitHub) | f796279cc60013c4736e3ef7e5a140375fba8a3d78694c9d524620326ae8efcf | 0 | 0 |
| Creation Of Pod In System Namespace | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | 55d9354329a9fc0545bc60c3642ee567fd8a86b404b8c209708ff60f10cd197e | 0 | 0 |
| Creation of a Local Hidden User Account by Registry | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 958ac16256f17b20c00b2a83f4bbad49236266d2b84e59eb2d3c29989efc96b0 | 0 | 0 |
| Credential Dumping Activity By Python Based Tool | Bhabesh Raj, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 7abfd50efa56572c526738496f6f7059c451615d2e5d8721055c1e39606f97cd | 0 | 0 |
| Credential Dumping Attempt Via Svchost | Florent Labouyrie | Sigma Integrated Rule Set (GitHub) | bfad2de2a3ff697a6170b489903df374d7555714e903a5cd764894bec8d7b4df | 0 | 0 |
| Credential Dumping Attempt Via WerFault | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6b68e7771434f120225b803e124561f1868c6b5b6459772f4833fa1907ff7948 | 0 | 0 |
| Credential Dumping Tools Accessing LSASS Memory | Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | a293708df42b2beba9f1a26e123fed278dfc67f5946ce8c995b2800c58d69e2f | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 1243009f29fe311d9199398e8babee9294e8f9e57205fe6ebec6696ab0eec9e0 | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 433b594a58a12c33431c033f7e53c41d5f635df8cee206163112bfffde169958 | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 9a7af0218101ae1b67047098f1cf187e06c88982ba45ad3ef1c685c27788b02d | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | ad25ab512a3789c7da7d55a7b60c4d528db1206a0a4d26f3f44d945cc456cc2d | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | be637f31d674fd7f3e36ce2982a40811732c7bbd70435fdb0378ab0bcbd73618 | 0 | 0 |
| Credential Dumping Tools Service Execution - Security | Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | cda32da0a87ef0f9603fc5592471efd0b39082003d4bc39f06871a5dd4336130 | 0 | 0 |
| Credential Dumping Tools Service Execution - System | Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 61e2aaf48c321983d311349f6bced27944c28bcd53f96ee143d8a0a1c321a5f2 | 0 | 0 |
| Credential Dumping by LaZagne | Bhabesh Raj, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 8cca9e462f882fe58e9f320bb7380d7edbaaaab831521d9f739cca42cf64db37 | 0 | 0 |
| Credential Dumping by Pypykatz | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | e7a973176dcaaa7050f1a216ca0d3075bfc12fecf2db13696af32148bd07d6bf | 0 | 0 |
| Credentials In Files - Linux | Igor Fits, oscd.community | Sigma Integrated Rule Set (GitHub) | 26d8c61d691959676fb6d8b0217d408f4dde823800f79771a458011d3577ffbb | 0 | 0 |
| Critical Hive In Suspicious Location Access Bits Cleared | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d5fafba749f09175307d78b0d786f5482b76b825bb977157b90e432409119ff4 | 0 | 0 |
| Cross Site Scripting Strings | Saw Win Naung, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | abfc554e6723d78308adb5dd0917e5604dac15611a98637633eae81fc3aff08f | 0 | 0 |
| Cryptbot Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 06c9cbff1ed607186f04da92f2cf1648e2db7108306751e56b1e9f5123d11b60 | 0 | 0 |
| Cryptbot Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b2707a69365d76d4836147eeaf9407e838f5322fcbd5f89cf86c86f1ba4239d5 | 0 | 0 |
| Cryptbot Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cdf252693ebe9b52f81229cb74ba8436f6cfdf9cc5c11f178cf9edb027c266aa | 0 | 0 |
| Crypto Miner User Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ff0cfc194b0f8edd392e317c8a3d0e012351873096248a33ca36c2b71f5ab3a1 | 0 | 0 |
| Cybergate RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e806ec700e831384b0d77c8508e1614d850eb5c7ccb89a9b745d0871c0136e5d | 0 | 0 |
| DCERPC SMB Spoolss Named Pipe | OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 9aca3bd938d644fb20cf3d83a10353ff1440153ab17579e69ed2ee17848c5d93 | 0 | 0 |
| DCOM InternetExplorer.Application Iertutil DLL Hijack - Security | Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) | Sigma Integrated Rule Set (GitHub) | 325801736478f2eeb21dc4d27671455172bd5ba8978fd1c153bbf1bb560f4617 | 0 | 0 |
| DCRat Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 35dd39a15009dacc7bdd973a9fb1484b964accb38bbcb7a63bc0b1bf73131df0 | 0 | 0 |
| DCRat Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d6883f28a13f18946f9da1e0d84588bc6e01de49d97cdecbb8b3d5bc2b945880 | 0 | 0 |
| DCRat Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d84b3a1cba66ed28c6c66d9a5dd807e984d42ba3b1e61ae45717b77695109095 | 0 | 0 |
| DEWMODE Webshell Access | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9e465f124d03f3f4a5d575cc4d87bde86fda1fa3092da13a47c07f473c865bbc | 0 | 0 |
| DHCP Callout DLL Installation | Dimitrios Slamaris | Sigma Integrated Rule Set (GitHub) | 08a22f080dbceb91fd6109159e695139744d9c12f6d94b12c35474b710aeb4ae | 0 | 0 |
| DHCP Server Error Failed Loading the CallOut DLL | Dimitrios Slamaris, @atc_project (fix) | Sigma Integrated Rule Set (GitHub) | 11670a8f337ded0b6b72a5c41df4831c1b1da694f85e044e4afe1839d5dbc82d | 0 | 0 |
| DHCP Server Loaded the CallOut DLL | Dimitrios Slamaris | Sigma Integrated Rule Set (GitHub) | 4928e3042535af018624a20ce17e807b66cf935200331da04e2db35a1b6cb695 | 0 | 0 |
| DLL Execution via Rasautou.exe | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 18ed0db67fcc790c2b7e9ff5c111ae3691af0b9f2d52618d41d7f956ce8aa598 | 0 | 0 |
| DLL Load via LSASS | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4dbf0d3da4d07dd172361786684269e5741eb3602ce1bf2c2c287041e8abe017 | 0 | 0 |
| DLL Loaded via CertOC.EXE | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 42f3abed5774e74cc80412cad617ceb1f8881fc484a38c351eed5b589c80dee3 | 0 | 0 |
| DLL Names Used By SVR For GraphicalProton Backdoor | CISA | Sigma Integrated Rule Set (GitHub) | 058749590d98037f9567485972425d033a51fe2b9aede9ec603af1c03edc136c | 0 | 0 |
| DLL Sideloading Of ShellChromeAPI.DLL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d07d6140d7d6a4e6a50db53310ea4d80cb48d33c95e0ced5e0570d488c2afc0b | 0 | 0 |
| DLL Sideloading by VMware Xfer Utility | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 101d7b771d2663a74e9a33cf0dc8d8475af6fe5fd97cda9ecccde0e9c99325b6 | 0 | 0 |
| DNS Cache Enumeration(via CIM/WMI) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 11f3c97d5bb96ad59c7eb445ca4feeab94c4ea4fbc54c6a6ff11061bab8a11b3 | 0 | 0 |
| DNS Events Related To Mining Pools | Saw Winn Naung, Azure-Sentinel, @neu5ron | Sigma Integrated Rule Set (GitHub) | ed013f86bfbbcd25b8e462391d437165af76f6ca7e0b33cde4fceb2ee58d3e57 | 0 | 0 |
| DNS HybridConnectionManager Service Bus | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 3aadcde102c8a083c36e571f1926927d5bdeddec39fc0f3ca9c514988407c7fe | 0 | 0 |
| DNS Query To MEGA Hosting Website - DNS Client | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b4a7505fcfe362c57f7197c82cd809926da3383f77134bc5dbe2e5db9fd580c | 0 | 0 |
| DNS Query To Ufile.io - DNS Client | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c79f5bc9cf7e15e6774913e56090aed7fc5e39f8a3736629ce5efd2eb94d220a | 0 | 0 |
| DNS Query for Anonfiles.com Domain - DNS Client | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 12c2f09405eb6cfb663a8cb88fab690da7fc0b72826d360fa3c6714abd86b972 | 0 | 0 |
| DNS RCE CVE-2020-1350 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c2b9377be93da37de7a04778f2a879e0e03b32b8aa2f1d0dd8b7c1ba72d7727b | 0 | 0 |
| DNS Server Error Failed Loading the ServerLevelPluginDLL | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a560dac7223fded812b9599d8c99d99739563099829698349739e8edeb365cc8 | 0 | 0 |
| DNS ServerLevelPluginDll Install | Florian Roth | Sigma Integrated Rule Set (GitHub) | 5935b25ff10421da2a478f9f484858a9599e6551a17272c7a4017c6e1a55df07 | 0 | 0 |
| DNS ServerLevelPluginDll Install | Florian Roth | Sigma Integrated Rule Set (GitHub) | 8435be4251ebdf2b4f18ae9d65faca381dc2fad4574c29cff3a962e5c9237487 | 0 | 0 |
| DNS ServerLevelPluginDll Install | Florian Roth | Sigma Integrated Rule Set (GitHub) | cfcbc45713ff3176a1284f986927a251f17c892931e87871325476256b26bb0c | 0 | 0 |
| DNS TOR Proxies | Saw Winn Naung , Azure-Sentinel | Sigma Integrated Rule Set (GitHub) | 1b16378c68113f05c5cf4b51586d582401449553cf4775243b8ce459ef59ef99 | 0 | 0 |
| DNS TXT Answer with Possible Execution Strings | Markus Neis | Sigma Integrated Rule Set (GitHub) | 8960985ab852fb33eb502577cd94683447f94e1a5299bfb607905f6a591cc78e | 0 | 0 |
| DNS-over-HTTPS Enabled by Registry | Austin Songer | Sigma Integrated Rule Set (GitHub) | 0426d73fef7393ca82c3fbe1bedafc6d698e787d2cd679e17ae93a3b446a487f | 0 | 0 |
| DNSCat2 Powershell Implementation Detection Via Process Creation | Cian Heasley | Sigma Integrated Rule Set (GitHub) | b31e87788fbc1690d2371c0a80ebe27cf8c7a433c9a7f28b1a077ba534308772 | 0 | 0 |
| DPAPI Domain Backup Key Extraction | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | d9a0bb3db2e444420bfe144e0ffc3f7e4dd9315a4792d088f6d79b706ac5fac0 | 0 | 0 |
| DPAPI Domain Master Key Backup Attempt | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 084c47f6ea9d2126ec7b6b95e20cdf54557800f1b8394ae472f95b6162be6db1 | 0 | 0 |
| DPRK Threat Actor - C2 Communication DNS Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 91819c057f7d81dea11b1b5ffd46c2b4564b723e118dbba5b2c24c41a8791203 | 0 | 0 |
| DarkGate - Autoit3.EXE File Creation By Uncommon Process | Micah Babinski | Sigma Integrated Rule Set (GitHub) | 72089cbe18d7a9e899b30d733717ba9daa4d7e1bda15025fd2e52a797163b8b6 | 0 | 0 |
| DarkGate - User Created Via Net.EXE | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fbea3fdcc21ba75635d639cd7f1805424b22f1a59da1627218d7050c557ffadb | 0 | 0 |
| DarkRAT Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 097182ab9d206700057ec3ab10e6684d34c9b3ff109901a14fb1dbd8da889d95 | 0 | 0 |
| DarkRAT Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0d8a277066bf7279215ee87bce9077e63ee0037f495593431ddbff9fa822c179 | 0 | 0 |
| Data Compressed | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | fb2193574c75e35df0989335aac30e2e13f3b8163caf7eef46058ae407b19e98 | 0 | 0 |
| Data Exfiltration to Unsanctioned Apps | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | bae0cfa813856773ccb7c9ac2654b2f064928c841cb1442d6dda554b4e346c98 | 0 | 0 |
| Data Exfiltration with Wget | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 334aab46cbdf770ef0720448d240e1b67c2a759449b703fba9d425f1450d83f9 | 0 | 0 |
| Decode strings from lnk via findstr.exe | Joe Security | Joe Security Rule Set (GitHub) | 9d57b9ed7a852960b15a4d2a7fb4faa9174893a98953c9f09989faab11ed110d | 0 | 0 |
| Default Cobalt Strike Certificate | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 19a7f2dd57b12f6048694290890081c7033fcf871e2c6ac4ddac91980374c15b | 0 | 0 |
| Default Credentials Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 65501b5c31cfa5ab80e3a4512b833f9e4bb77ef303f17fc8839abf9c1b435969 | 0 | 0 |
| Default Credentials Usage. | Alexandr Yampolskyi | SOC Prime Threat Detection Marketplace | 3ed924bf0f9ebfc7642bd2eb1a2b925d801ff58fd267c5066fe579c55051e5cc | 0 | 0 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 462e0455aac7979a208190934de4564c8d6f5759fa73ea355f31b871967ed1eb | 0 | 0 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 4a305b6df01e5870b2018b579218b7e7b94bcc24e0959629d5cd3812d771d39b | 0 | 0 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | f7c48f991deaa5a1f44d21dc156d1989c5c383f971da93ecc1eaf11928860293 | 0 | 0 |
| Defrag Deactivation - Security | Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 1ab376818e4cb7b7005cf46c5c118f9d09e2779f289cd7f37afc5fca8fc6e4f5 | 0 | 0 |
| Delegated Permissions Granted For All Users | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 7e53f4cfbdfd2c5fa0247d5fe1ab4a1b36136af1830a5d80710976b3908c48dd | 0 | 0 |
| Denied Access To Remote Desktop | Pushkarev Dmitry | Sigma Integrated Rule Set (GitHub) | 755295cd9d58dfbf7808166ecd446d284fa160fe7f2e2b5673aeef6cc5cb0a44 | 0 | 0 |
| Deployment AppX Package Was Blocked By AppLocker | frack113 | Sigma Integrated Rule Set (GitHub) | 7da40e839cf5f0d73087f8c6c4717de3ec7a13449ce8e188460f89e33b12e2ae | 0 | 0 |
| Deployment Deleted From Kubernetes Cluster | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | d070b9d32f621068ef3f5dc31c15ceb7b6a94fce941832d5156c1b4dfd124a5c | 0 | 0 |
| Deployment Of The AppX Package Was Blocked By The Policy | frack113 | Sigma Integrated Rule Set (GitHub) | dfe6fcb13ba0be0c88ad6cf05f81ace91ae31f8bc6eccf703deaa99c200d55dd | 0 | 0 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 296c4235eb2d9969dd70271f37fd8708d44ea158f9a24508790c33c5b6003dae | 0 | 0 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 45e686dc153cf8d6e5cf577bc67b50dc6668c51412eddb7aede600f65fd5e9f0 | 0 | 0 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | ddc07067e955f9f404023ebf4e274002f57acb50f1fe16fe88b6704df84b3864 | 0 | 0 |
| Detecting Sysmon on a Victim Host (via powershell) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9d639e1b707b6f24ae8b637df63d5ac02aac0933b062d3477fa84d3194dc4e7b | 0 | 0 |
| Detection of Possible Rotten Potato | Teymur Kheirkhabarov | Sigma Integrated Rule Set (GitHub) | 45c3c61e20707c18533d763c9e1c0a2f3abd229bd485f75c933da3e4ba156186 | 0 | 0 |
| Device Installation Blocked | frack113 | Sigma Integrated Rule Set (GitHub) | c4ef183c583634c30e2ec4b60aecf6212b479a205961b7a079cf77cf3a10498b | 0 | 0 |
| Device Registration or Join Without MFA | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | a158153f262e73c2256d05133ad9d1479ec9fbd516352021e325ee5e7373be61 | 0 | 0 |
| Devil Bait Potential C2 Communication Traffic | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83086326d048b726e7824b5dc833c864d799584d9c8ffac88f23d8d94716b070 | 0 | 0 |
| Devtoolslauncher.exe Executes Specified Binary | Beyu Denis, oscd.community (rule), @_felamos (idea) | Sigma Integrated Rule Set (GitHub) | 336df26c319863147659e184f6387914d5b34b55eeb4dabe819907f747016967 | 0 | 0 |
| Diamond Sleet APT DLL Sideloading Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 46f645cfe244160c9a8d686236c14f8d5e04f29b7e951e192f3f11fd68037a10 | 0 | 0 |
| Diamond Sleet APT DNS Communication Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 04f4011ccf3e372c8fb6c31785bf840c89d521a644ead59c5fef56b888994162 | 0 | 0 |
| Diamond Sleet APT Process Activity Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 59a460975011c123a7acdb982749c27ebf78cbd37c329444676837870200aa60 | 0 | 0 |
| Diamond Sleet APT Scheduled Task Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 465232b3625350763f8a622c26f6e78139d07d99774eb093b777ec3daf2fd336 | 0 | 0 |
| Diamond Sleet APT Scheduled Task Creation - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b24c179bb77f826b4bc8f9b2f14af706eb86c3c5d14ec339cff7fb45dea8a513 | 0 | 0 |
| Disable Exploit Guard Network Protection on Windows Defender | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8c426cb2a8a98a743f8e95cb5717e867cc5d4d22fcc97255e10fac2d59176fac | 0 | 0 |
| Disable Macro Runtime Scan Scope | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e448df332034272fce5d2071fe9f070084a293696a4d9f879591bcd91b12d862 | 0 | 0 |
| Disable Privacy Settings Experience in Registry | frack113 | Sigma Integrated Rule Set (GitHub) | e047bdf5f28a6d7c67d53f5cae5362d16ec6a73c354de983be8efbd7d19039ff | 0 | 0 |
| Disable Security Events Logging Adding Reg Key MiniNt | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 6eaa9c84915e6b68d49ea0ea6b069124ad33f6d9666e8baf43270a57ee9e1b2a | 0 | 0 |
| Disable System Firewall | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | bfb6779f8bcb262174ab1cdfd6dc6c24f7ab01aa0510928dc59d51257c11e472 | 0 | 0 |
| Disable Windows IIS HTTP Logging | frack113 | Sigma Integrated Rule Set (GitHub) | 8e9b40932ae787a51edc9fadbb2fd842437eea7b83804b0090d7f069e2d0a5f2 | 0 | 0 |
| Disable of ETW Trace - Powershell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb21aa9533b87e78511396a558c521c85a35533d4f9f44f9380e79dcee68ae56 | 0 | 0 |
| Disabled MFA to Bypass Authentication Mechanisms | @ionsor | Sigma Integrated Rule Set (GitHub) | 53b242e959d09f957c67fcb81b740965ebe398e9ef22bb0d8ec23f5dd1add1d4 | 0 | 0 |
| Disabled Users Failing To Authenticate From Source Using Kerberos | Mauricio Velazco, frack113 | Sigma Integrated Rule Set (GitHub) | a87dc529f00cccdafd3037358d753f5b37bdbc5d5860e077d8794985d3d93f5d | 0 | 0 |
| Disabled Volume Snapshots | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 570e42eea810ffc81d8b3f1b5d284c891c1ca4a897bc6a8d5307ba5ac4feebbe | 0 | 0 |
| Disabling Multi Factor Authentication | Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) | Sigma Integrated Rule Set (GitHub) | 991a51f0fe833478df030b9c2d5dfcbd9a08cb54d65f4fee6de32502da219829 | 0 | 0 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 495b384015032ab9c529e649f340c35394c72a7ace8daf0aecc9b3fe7bb5f54e | 0 | 0 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 7c1caf17a217864cc13be5d7320e631c61b949686fc630c72b5d143d1b4cdbbb | 0 | 0 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | df800176ac79cd510a92bccecd1ec64124d8917bd009406abd5457f353896225 | 0 | 0 |
| Disabling Security Tools - Builtin | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 7657d165811c7f6d4f9ff55e9ce81d8405e42f6157faed664f28bbc8fe97e560 | 0 | 0 |
| Discovery Using AzureHound | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 285046a386633dc2065de3a86c090ace867fc6f4d6ea14d4dcb8e3129bbe7292 | 0 | 0 |
| DiskShadow and Vshadow launch detection | Eugene Nechiporenko, SOC Prime | SOC Prime Threat Detection Marketplace | 85495f94a180f99ee2283759ac8a387cd3df5ff6802bcebcd6fd16bd75788af7 | 0 | 0 |
| Django Framework Exceptions | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | fad46f86c5fe8acee91d73cf5901cf64df547e2777230845acfe89b79cbf172a | 0 | 0 |
| Docker Container Discovery Via Dockerenv Listing | Seth Hanford | Sigma Integrated Rule Set (GitHub) | 0e7e6c658234f42dfe3a0caeaeee9a388217d69fccd37a24dd0df1afea170b2d | 0 | 0 |
| Domain Trust Discovery | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 4fba485fa9f02eb8d0e28a7b84276fb6a276943a2948a62fe3d614248af840fd | 0 | 0 |
| Domain Trust Discovery | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | 50137e4985d62ff32fe9acc8ecd34bbc1e546bce28ae9d0c168c5bc0e62c2098 | 0 | 0 |
| Domain User Enumeration Network Recon 01 | Nate Guagenti (@neu5ron), Open Threat Research (OTR) | Sigma Integrated Rule Set (GitHub) | 11a4140a5787cdd2ea81d81e4e06755144d3c4abe02a886ec68eeb79c5273223 | 0 | 0 |
| Domestic Kitten FurBall Malware Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | d75f4b248c10259b1011107000396926b1a9e5cd4b0031500be48aee109855b5 | 0 | 0 |
| Donotgroup APT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 431dbf8b11cf45bebac6646a5fe3c450c306b29edaf25977675ee072495216f8 | 0 | 0 |
| Donotgroup APT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b3a4cba903a56c4b1c614cbde0de39dbec54a5aa5c8c8990df7f654b4a4c05ab | 0 | 0 |
| Donotgroup APT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d65688b1788bfa0f9d3f71219812a68ef61b2de1f9da32a3be8f9ce57314eba0 | 0 | 0 |
| Download From Suspicious TLD - Blacklist | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5ccaad9297f4a0eab603caddab274e285f600daadd324b7ff0b1664d5fa19675 | 0 | 0 |
| Download From Suspicious TLD - Whitelist | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0182cb90eb98bcbd6b9724bdf7aa6f62ee6e327b059e24257dfd8339db0d3579 | 0 | 0 |
| Download from Suspicious Dyndns Hosts | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d24da8eb78bf79c4be60dc23a68bd4ced6da6a3ad0eca8e8c2f4f43d08527e24 | 0 | 0 |
| DragonFly variant (Goodor) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 76c36e8978ca88131a604877350f6d74659dd6354870487d271706837731f68c | 0 | 0 |
| DragonFly variant (Goodor) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b36ce9f509e99bf322f61b552fe1197b17812c6ec7e34429e60852ccce9b21ff | 0 | 0 |
| DragonFly variant (Goodor) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f9376b94f03fe9d6f1fa80fe124bddee8d9d51ee56b3e761e3b550f5717ea1e8 | 0 | 0 |
| Driver/DLL Installation Via Odbcconf.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5a904d51bdf849fcbc2359cd5f5bfe7fb4f4a689bdb4ad7295d051464f07c8a2 | 0 | 0 |
| Dropping Of Password Filter DLL | Sreeman | Sigma Integrated Rule Set (GitHub) | ee1da0ec4e59bf6a30e8d78efcf41afcbe4babcee998f991aa62701b5fdb80df | 0 | 0 |
| Dump Ntds.dit To Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae98f10c9c3089fe4172736d9574028281ef25bce3681b6a3006bcb97ab56bd1 | 0 | 0 |
| DumpStack.log Defender Evasion | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9aa94cce0b20ff88d8c54a77c049e7d80f00af8ed4def6aa7395dc01692b5394 | 0 | 0 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | 4182b10f293111ccccca770ada467f9a23c6679818008b7436e1842cac95a691 | 0 | 0 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | 758c2b360e853174de27738caef97d466db11778427f5db30224884512b55494 | 0 | 0 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9f11ecfc5795bbd9676baf8be43d9bd9f6da30f13022e7d97b279730326db7ad | 0 | 0 |
| Dumping Lsass.exe Memory with MiniDumpWriteDump API | Perez Diego (@darkquassar), oscd.community | Sigma Integrated Rule Set (GitHub) | c2b930e9318dce446b4b4ed018e6ade935182bf7ca1404ae47923673beafee95 | 0 | 0 |
| Dumping Process via Sqldumper.exe | Kirill Kiryanov, oscd.community | Sigma Integrated Rule Set (GitHub) | b8953b2fd9eedf5150cb430ec88f3653045e82c553904a73f87423600b427bee | 0 | 0 |
| Dumps Process Using tttracer.exe | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 1b2196c83bd73a6164882d3b22f19d200742a1d5541207b0e4b8684476e12ce2 | 0 | 0 |
| Dupzom Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 38bcd0b136a2a67b8c4d5b7a13cd98cf8590d84aba9b380e944c2f8ba851554f | 0 | 0 |
| Dupzom Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b68ad5ecfba8b9b44e110368c029c99324cfa21b478209746fa0fcc441e51659 | 0 | 0 |
| EDR WMI Command Execution by Office Applications | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 283d42c1fadd5e7b1d94efc708531703992e171a52b45eefe6e2eba61827fcdc | 0 | 0 |
| ESXi Account Creation Via ESXCLI | Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | 204cde183073b63d4337cc1dcc27db716d89346fbbbc47289b869bc3656a3b6a | 0 | 0 |
| ESXi Admin Permission Assigned To Account Via ESXCLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 45890ceb9a2b49c0355894816f144136fc7032c7b874d30176759a79834a7365 | 0 | 0 |
| ESXi Network Configuration Discovery Via ESXCLI | Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | b0e8f06db3021ce68f574d3e343b81846ac1a3e307b9b6871883e3effe996da8 | 0 | 0 |
| ESXi Storage Information Discovery Via ESXCLI | Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | ec049bb28bdd441bef0b03adf09458b2bedf629b7d1f8211ce52b1bb08ddea2f | 0 | 0 |
| ESXi Syslog Configuration Change Via ESXCLI | Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | 23eb4efca0a49a9be18859e916d295fc6950604b09895dec8bbd6f5cce7b6f48 | 0 | 0 |
| ESXi System Information Discovery Via ESXCLI | Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | 78efdf1a1e343b365b9583afd16cdb164ba3e095ba0e0675828c85f7e2d7bbe6 | 0 | 0 |
| ESXi VM Kill Via ESXCLI | Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | 958dfce69baae04f7d2aed61952bebd60261014bc92209c800f67b3bcdfeaaed | 0 | 0 |
| ESXi VM List Discovery Via ESXCLI | Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | c0660184f15a0abf946856d7c6571b9b7de28877849a69a7740b80067f2bca10 | 0 | 0 |
| ESXi VSAN Information Discovery Via ESXCLI | Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon | Sigma Integrated Rule Set (GitHub) | 9b55915f19475d2e1d8d25068d9606af51988181213faff8a6106513a05f94ad | 0 | 0 |
| ETW Logging Disabled For SCM | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b25c9cdef72ebd81a0d1211a4769034192cd8c731778d8a88a1b327aac9b8b14 | 0 | 0 |
| ETW Logging Disabled For rpcrt4.dll | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e3038ae7bc47420e50f90cbb3decb3348aedcdda901f3ce021b9d2efa66be73 | 0 | 0 |
| ETW Logging Disabled In .NET Processes - Registry | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | cc1b63adcbcba57ac6edb7913c2741cb0bee32fe4301f250ee4087ba643a654f | 0 | 0 |
| ETW Logging Disabled In .NET Processes - Sysmon Registry | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 35fa58d3974ddf4be72ca9c5273ff5dfde7de065d8b27e4baef1189a9c10014d | 0 | 0 |
| ETW Logging Tamper In .NET Processes | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 37c4f090dee0ead128c75a30b117563fd3376ddf2e4b622311b167c9a3b1ba18 | 0 | 0 |
| Edit of .bash_profile and .bashrc | Peter Matkovski | Sigma Integrated Rule Set (GitHub) | cebaa2668c1b09efe1fcc6d468abfb9aa15dbba4c6e04246ba9e9f0bf407dc65 | 0 | 0 |
| Elevated System Shell Spawned From Uncommon Parent Location | frack113, Tim Shelton (update fp) | Sigma Integrated Rule Set (GitHub) | 83648f12e1fbafb647c78097387a8c931b169cd2e2dd475799f2a5239321ceec | 0 | 0 |
| Elise Backdoor Activity | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f1a0bd0e13fc71835ebb28c9bcd3329c320fbb38c22a6521ad2ec7afec74c71 | 0 | 0 |
| Email Exifiltration Via Powershell | Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) | Sigma Integrated Rule Set (GitHub) | 8e330ded37baad5e1a3a93c94c2b86b8531a5fd14a2c4f68770cfda9b37a3f64 | 0 | 0 |
| Empire Monkey | Markus Neis | Sigma Integrated Rule Set (GitHub) | 23618eea142f67106fec1f2e49084b25abad9af9614fd101fae65a465fce36f6 | 0 | 0 |
| Enable BPF Kprobes Tracing | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0237caeadcdd18c3a857e476d6ee87550336de43d2172a1a5a52b9f60d4d18e3 | 0 | 0 |
| Enable Local Manifest Installation With Winget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e0e156bbd124a1ed1462866c1a8f506b33f93f74cf0901c0e71c196c1e898add | 0 | 0 |
| Enable Microsoft Dynamic Data Exchange | frack113 | Sigma Integrated Rule Set (GitHub) | 4c77e232cdf4c22bbfa61c061d45db122b775ada7f113c1a871005f0314aeaa4 | 0 | 0 |
| Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 090a9379407c8096d3dc6fffa2e98c7b3f5682bd5b984f57f73900f4b7d12f1e | 0 | 0 |
| Enabled User Right in AD to Control User Objects | @neu5ron | Sigma Integrated Rule Set (GitHub) | 5b7c1293fd9b0e601e332e3957086d1d0c6a06bfadd6c43e4270efb3277d3f29 | 0 | 0 |
| Enabling RDP remotely using PsExec | Ruslan Mikhalov, SOC Prime Team | SOC Prime Threat Detection Marketplace | a0da5ca640c0db1d98b306ba62d3da18bb15ee97be16ca41d672fe2e8ebec17c | 0 | 0 |
| End User Consent | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 9ba43faff7a4e2460922534c3ff380de37474d9aefeccb498b05be93c8f426b6 | 0 | 0 |
| End User Consent Blocked | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | b3d0cbc175e205c04b9ed5e69998bdad1f7d66c6d968e063895e2b907e13e15f | 0 | 0 |
| Enumeration via the Global Catalog | Chakib Gzenayi (@Chak092), Hosni Mribah | Sigma Integrated Rule Set (GitHub) | 1305672c2572166a4d69a39b49ae88090a50a828e90fe74ecbcb764defc3658e | 0 | 0 |
| Equation Group C2 Communication | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ec2be6d2ee05ce5b9bbe5fa0e0c88445206d45c31719b20f8b334b51509702ca | 0 | 0 |
| Equation Group Indicators | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 214644f8f8defe22c479a808c315e0abeab487ba6453aea73b617671e82afc64 | 0 | 0 |
| Evasion Base64 decode arguments in Powershell. (Possible APT29 activity) | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 66bf1484dc26be16a812d0aad2d4ac6fb6a930d54d654fefdb5395f2f5bdd569 | 0 | 0 |
| Evasive Azorult detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bc6f9cb8f39b70734c26b70f509cd672b3173413fef65146e95364ccd778a60e | 0 | 0 |
| Event Tracing(ETW) .NET Bypassing | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 6069c607c41cfbdf480184c91403313c4f458c82732ed81f1cff013d545756f6 | 0 | 0 |
| Eventlog Cleared | Florian Roth | Sigma Integrated Rule Set (GitHub) | 21811843bfb7d3bd52d24ba751e69b943436736e36c5b88a3f0f5d4f80c042fd | 0 | 0 |
| Eventlog Cleared | Florian Roth | Sigma Integrated Rule Set (GitHub) | 7ab84c6091a1b4ceb1d00bb8f3be32dcd111618b7e0b705f7a14f2696bd4527c | 0 | 0 |
| Eventlog Cleared | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 897e81991ba93eae2ef049bec91493dcbc61908766ac3d56284ce87250a69aed | 0 | 0 |
| Eventlog Cleared | Florian Roth | Sigma Integrated Rule Set (GitHub) | eef34d2dd2c9264ef00f80ce3cee8c0b7232729bfb39f5f5258afc0701b750ba | 0 | 0 |
| EvilNum APT Golden Chickens Deployment Via OCX Files | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c07dab99223af1d0dcc74e5419200d751c154be9bf5fb4f8817b718b80074034 | 0 | 0 |
| Exchange Exploitation CVE-2021-28480 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8b0df83cd0067e8ec609c343855fdc202dc02e08333f53087a98ea20ae5a5b9a | 0 | 0 |
| Exchange Exploitation Used by HAFNIUM | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fa61fa3a9e1eb0bec15a00e9a84860be9b60903bc1901454841437fa15d2b33e | 0 | 0 |
| Exchange PowerShell Cmdlet History Deleted | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 628b268dfb27c23fa39874cbe14fa94c346995f129d19b10ce1254742aeb75dc | 0 | 0 |
| Exchange PowerShell Snap-Ins Usage | FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d6b23e65044f31aa0e870c30cfcb96f03b4e07207a6ee29c0ed9707981459b23 | 0 | 0 |
| Exchange ProxyShell Pattern | Florian Roth (Nextron Systems), Rich Warren | Sigma Integrated Rule Set (GitHub) | 64bc18e376a29a7021c54cb9dd0360d271fdc492dfe549706a750fcce1c06b85 | 0 | 0 |
| Exchange Set OabVirtualDirectory ExternalUrl Property | Jose Rodriguez @Cyb3rPandaH | Sigma Integrated Rule Set (GitHub) | 76f94274bd2a1a2e6fff0a84131b19b7a88097a0ecdf13f713b85cbe87821798 | 0 | 0 |
| Exe Launched By ReflectiveLoader Dll | Joe Security | Joe Security Rule Set (GitHub) | fb6e575b96ef105d7648f2fbb84e53c968901fc34652bf51317f8fa76685654f | 0 | 0 |
| Executable from Webdav | SOC Prime, Adam Swan | Sigma Integrated Rule Set (GitHub) | c5b9b720930832b94426c87d7d20296939a583d3a341561476b195402c712b66 | 0 | 0 |
| Executable from Webdav - Zeek | SOC Prime Team | SOC Prime Threat Detection Marketplace | 39c77a2689a21b694239fd44d2ca79bd9fbdd010599631d811030596b2bb794d | 0 | 0 |
| Execute Code with Pester.bat | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 4c7cd76bbfcbeccd5a632e9635a2ba08c7f1b72ecfc3b734d01e3a46c75c1779 | 0 | 0 |
| Execute Code with Pester.bat as Parent | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 6b2bfdea0c20a8dacb06c81b30e897f413e348322ee29b59e850d162222888de | 0 | 0 |
| Execute Files with Msdeploy.exe | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 01d30cac08cb23905f4eacf48a745712b09efd4d13ece8136df401f4fa5a9969 | 0 | 0 |
| Execute From Alternate Data Streams | frack113 | Sigma Integrated Rule Set (GitHub) | 050886ba2f2b1f82f8131a47ce6b22fb2663a44155ba973da3477fde647c06a5 | 0 | 0 |
| Execute MSDT Via Answer File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 32e64e651f354b426dc717293affb14f8d8b7140ab2ebe000a3239f108926c6f | 0 | 0 |
| Execute Pcwrun.EXE To Leverage Follina | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 07baec2ac5a4524c22bab6b241fefd2d5d163c23f6715c470efc21c28ba2d7f1 | 0 | 0 |
| Execution DLL of Choice Using WAB.EXE | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 99b21cfd2dee5c20c4ee150c1f8ff725e843b680ad0362dc10682baf38dba493 | 0 | 0 |
| Execution of Renamed PaExec | Jason Lynch | Sigma Integrated Rule Set (GitHub) | bc6e1fabac9a6bb91d67a4a5439f899182862c791a4d2bb72fbaf27b552554d6 | 0 | 0 |
| Execution via CL_Invocation.ps1 (2 Lines) | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | ceefb57442e71801749707909d69108b161f2d2e4a973242e7e2386648bee9b9 | 0 | 0 |
| Execution via CL_Invocation.ps1 - Powershell | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | c162774264013dd3be5fe01db608c8cd43087fb90d8ec4a8371ec6c119f1fef0 | 0 | 0 |
| Execution via CL_Mutexverifiers.ps1 | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 1394e1d2c663042f47108fb190ff989e13550eff19ce6db03ef09a0c5a92aaec | 0 | 0 |
| Execution via CL_Mutexverifiers.ps1 | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | e0857d3351e317e009063a5853ed0234b65be28d6b94c9727a4473d4bd135d9c | 0 | 0 |
| Execution via CL_Mutexverifiers.ps1 (2 Lines) | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 389839a4c3b9d52b701fe26dbe2f77f37e841fec35467860ced1accddf84b24d | 0 | 0 |
| Execution via Diskshadow.exe | Ivan Dyachkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 1fc7c2d6af25fd4fb6af44ba89bae55555dbcfdcc31e586fd94298ac39ea011d | 0 | 0 |
| Execution via MSSQL Xp_cmdshell Stored Procedure | Tim Rauch | Sigma Integrated Rule Set (GitHub) | a5e738d9e67512fdb2a62724cacfb4c4b027f3ad9bde2a019d5f34632eb2ec1e | 0 | 0 |
| Exploit Framework User Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5568bf39e0e0778586bb12b9eec75fa632d667e59d9a2593a81fc3c1f92482df | 0 | 0 |
| Exploit for CVE-2015-1641 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d3c02a535ea8c2ccc601d4d5317b74c2389350cbeffab45fe35634fb61351840 | 0 | 0 |
| Exploit for CVE-2017-0261 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9931af355487f8ba552a4261f563cca37a36e808d77f2dbc3857687968010e3a | 0 | 0 |
| Exploit for CVE-2017-8759 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9697bdf7c6b76b101974ea8a0feee97c4b309c7c74d5ccbf4e0c2b3a5e03f167 | 0 | 0 |
| Exploitation Attempt Of CVE-2023-46214 Using Public POC Code | Lars B. P. Frydenskov(Trifork Security) | Sigma Integrated Rule Set (GitHub) | 27efb80f8a89252473f733f61fcd3ebedc775d348b8b87de388eceb60f7eb85a | 0 | 0 |
| Exploitation Indicator Of CVE-2022-42475 | Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75 | Sigma Integrated Rule Set (GitHub) | f73bf833ff143771d4662eea5480be331b547c0a0117e990146ce5b4fcc30582 | 0 | 0 |
| Exploitation Indicators Of CVE-2023-20198 | Lars B. P. Frydenskov (Trifork Security) | Sigma Integrated Rule Set (GitHub) | 3126c0f4e536e6b26299c8b4202ef19198038e958a2b15f0c3a2bbf896c143c5 | 0 | 0 |
| Exploitation of CVE-2021-26814 in Wazuh | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e9dbd9775b62ea76e1f299caeec38e889d5ade4d1b9f15f0125be4c6c34f6ed8 | 0 | 0 |
| Exploited CVE-2020-10189 Zoho ManageEngine | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f85ce5948989e315c57d34da1951a85d6b29e1dd91e294fed17c4c5d2a65ca26 | 0 | 0 |
| Exploiting CVE-2019-1388 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ca8e07ebb4a9e88b2988f1c2c1da442f21dd9e29212734cad87963436e07697a | 0 | 0 |
| Exploiting SetupComplete.cmd CVE-2019-1378 | Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | aaf4513bd87abe8d41992949584d6e69d734d9f68ef90eaa97be26b350d990c6 | 0 | 0 |
| Exports Critical Registry Keys To a File | Oddvar Moe, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | dbe237db785de8531f797d5f0689f67cf0389152523f491db2c761f5888de930 | 0 | 0 |
| External Disk Drive Or USB Storage Device Was Recognized By The System | Keith Wright | Sigma Integrated Rule Set (GitHub) | 69ec9de0dde4471e41ee7ac007a2e667bee45fc610f59477cfcd75bb72afdf6a | 0 | 0 |
| External Facing ICS DNP3 | SOC Prime Team | SOC Prime Threat Detection Marketplace | f91099b17f9d1bca0d4db4e5b0ad22f95649383e9cf2240cc0abc68540881418 | 0 | 0 |
| External Proxy Detected (Overview Query) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 8871bb484e485ff18029d70ed25036cf72ae96f363232176d3f639f5ffc8c719 | 0 | 0 |
| External Remote RDP Logon from Public IP | Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) | Sigma Integrated Rule Set (GitHub) | 49aec14518e31487cacf1b97c8d227e4485f822a6a30d04b3fac2c7c145dbc74 | 0 | 0 |
| F5 BIG-IP iControl Rest API Command Execution - Proxy | Nasreddine Bencherchali (Nextron Systems), Thurein Oo | Sigma Integrated Rule Set (GitHub) | b3055175d1d5554ed64d6193a00f3a1a8a841c31f778939473dc8ff1d3078d36 | 0 | 0 |
| F5 BIG-IP iControl Rest API Command Execution - Webserver | Nasreddine Bencherchali (Nextron Systems), Thurein Oo | Sigma Integrated Rule Set (GitHub) | 6e6b09ec3aaaf909ff39e611ebb0d04042e76efa232ee6cdc8ccac29b2b0e7dc | 0 | 0 |
| FASTCash 2.0 - North Korea's BeagleBoyz Robbing Banks | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 328842f9bf7293774dba7e98cfbc8dc38cc5c3bfd0b550b66f9f388d2364db6b | 0 | 0 |
| FIN7's Backdoor "GRIFFON" | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 94db0c3a112be50fd02c2ff8b6bdb0ac37e92b752979f8c6f2e5563abe56be96 | 0 | 0 |
| FIN7's Backdoor "GRIFFON" | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b76c81cee8f9040791d362bde9fa5c5ec808c3d2f0fce6f9f4a04448b9e10018 | 0 | 0 |
| FORMBOOK Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4675166eaef352485a92c18a16d156904430c5c7735fd58dba24cf182c23d60e | 0 | 0 |
| FORMBOOK Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d8ca2edb73662b566eff75ea12702658de66707396e7bb7923a06ed5a3e3db3f | 0 | 0 |
| FORMBOOK Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | eeee8664c6a13d9135d1338a6561c8e98c8d43e7769fb1532912f88a85cfc98d | 0 | 0 |
| Failed Authentications From Countries You Do Not Operate Out Of | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | feb740756a11ff14f31480b827e32dc083967875e41284e0667b45ec7b99c7ca | 0 | 0 |
| Failed DNS Zone Transfer | Zach Mathis | Sigma Integrated Rule Set (GitHub) | f8136f791ce5eb598447408965d8611b56158bb3093f9bc217cf6ebb2d7b0e71 | 0 | 0 |
| Failed Logins with Different Accounts from Single Source System | Florian Roth | Sigma Integrated Rule Set (GitHub) | 39c6740d7e5a4065ad484a47fdf900dac6ebb236a092d3a62ae08b42f997aaf4 | 0 | 0 |
| Failed Logins with Different Accounts from Single Source System | Florian Roth | Sigma Integrated Rule Set (GitHub) | 96209abdf48c67f20055c6bff1def00f64467ff7b6241d0f81f46fb6dd9c45ce | 0 | 0 |
| Failed Logins with Different Accounts from Single Source System | Florian Roth | Sigma Integrated Rule Set (GitHub) | c205af7876e4586e4a5a6daf3886f1baa3df67852a520806aa99706ca5d30f1d | 0 | 0 |
| Failed Logins with Different Accounts from Single Source System | Florian Roth | Sigma Integrated Rule Set (GitHub) | ca722b22c08d09482ee7e905dc151bc4c635059ae6cca8d5e7319d79d75a939b | 0 | 0 |
| Failed Logins with Different Accounts from Single Source System | Florian Roth | Sigma Integrated Rule Set (GitHub) | da16f0c4a5327c930eada87193754d50bfcbe86ae02f2b346843be759f3bf068 | 0 | 0 |
| Failed Logins with Different Accounts from Single Source System | Florian Roth | Sigma Integrated Rule Set (GitHub) | e0dab5d045b0693435584647bbbacf51af451c35bf9073723e14ce5e9faa977a | 0 | 0 |
| Failed Logon From Public IP | NVISO | Sigma Integrated Rule Set (GitHub) | 747bd73d4c017e43abc40ee62507a5889d075d5fde6a504c4d858fa2bcf544cf | 0 | 0 |
| Failed MSExchange Transport Agent Installation | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4ffd23c451cedb770f7b27887ee3bedb3bd28836fcf3f1af17ddfcc02f42244f | 0 | 0 |
| Failed Mounting of Hidden Share | Fabian Franz | Sigma Integrated Rule Set (GitHub) | 68bc17c47cc9a04e078b6e31872b2c345a9de4e688c0a560ab1aa1c3e4cc7539 | 0 | 0 |
| Fax Service DLL Search Order Hijack | NVISO | Sigma Integrated Rule Set (GitHub) | 4bd3cd7f770c6c3ec6329529702f55c609cbd0c8220a36c08756e56a5eb0e553 | 0 | 0 |
| File Creation Date Changed to Another Year | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | df4fe2b0d851692a371bf0f348a05717c283887d556e2a095787e3269c007918 | 0 | 0 |
| File Creation by Office Applications | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 4c867f43073512dc59c123d57114baa298a7f696a87ca8842fba36f25783ba49 | 0 | 0 |
| File Decryption Using Gpg4win | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7a501a63a13fd49900ce70f0d483c0fa5aa258d9dfafab2fad52035d5b40984f | 0 | 0 |
| File Deletion | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | ca09f90f6791c066d3cb4ab07b1fbc4ed8bc75831b99eae0123b994db452cc63 | 0 | 0 |
| File Download And Execution Via IEExec.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6040efbd7812c47c4f940044893d325b6ecd7c971385b21b9937eac64f2be90 | 0 | 0 |
| File Download From IP Based URL Via CertOC.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5e2f9ffcd83c0b9db77da4dea2a15a3e41d342e25f1559f0ef4502a3c223ab43 | 0 | 0 |
| File Download Using Notepad++ GUP Utility | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4f6f22cfbe19700db9a0857a1dd2fe09c0e4321d053a4a118de23151e93ca3af | 0 | 0 |
| File Download Using ProtocolHandler.exe | frack113 | Sigma Integrated Rule Set (GitHub) | b886d124810a581d5017eaa5d5eb0d9d6835919fc18f7f9b4c5939e0fba81825 | 0 | 0 |
| File Download via CertOC.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dded781163ffb42cdc17dab5b8d39a5043a3cc4a4fb4d5d55590e35f10472571 | 0 | 0 |
| File Encryption Using Gpg4win | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6e0e2268fa3eb3dc08edde73c48c3596f17a2b1662b983ff587375a5b75ea62d | 0 | 0 |
| File Time Attribute Change - Linux | Igor Fits, oscd.community | Sigma Integrated Rule Set (GitHub) | 98a04cf3e09ed0fd0d955b1233d5da45cab63a5a2370ab7dc16a507783467e67 | 0 | 0 |
| File Was Not Allowed To Run | Pushkarev Dmitry | Sigma Integrated Rule Set (GitHub) | 9a03b6952f3ce7ab37238d17b0e583d82c02641e1cd9add5995da0319dc8e27f | 0 | 0 |
| File and Directory Discovery - Linux | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 3d3b45d016905389c43a4a14252fb73bf6a6f29ca1d925f44b19ff52a9bc0571 | 0 | 0 |
| File and Directory Discovery - MacOS | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | de61a9a6e51619752c9f8bf87bb41536abc4f6983711039dcef99b9732a26713 | 0 | 0 |
| File or Folder Permissions Change | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | 2aa85d50392d0c934bd643168b9d6106622e796b2f125ccbfdbc65beb9d9328d | 0 | 0 |
| Files Dropped to Program Files by Non-Priviledged Process | Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | 0dec80af16a1229c7c8b9478448b6a3fe7a1cd392768c3d11e0cc1d3f56ce89c | 0 | 0 |
| FindPOS Banking Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b4f6a2934ee226030f077e9c78924c5b5a78d41ee66a0529dd426becc7b33ddd | 0 | 0 |
| First Time Seen Remote Named Pipe | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 8f55e684b93688b5ada963a92be16b72c1a0cfc3cb3de96dd117b81f4ca48353 | 0 | 0 |
| First Time Seen Remote Named Pipe - Zeek | SOC Prime Team | SOC Prime Threat Detection Marketplace | 480a8350961bc4753587db029d2b4b67af4927083b258b8ac071d0dea69e5107 | 0 | 0 |
| First Time Seen Remote Named Pipe - Zeek | Samir Bousseaden, @neu5ron, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 6dfb9593c473f7b52b104c46e0f2ae974fd27365b3fef076729065c3ceb7336d | 0 | 0 |
| Flash Player Update from Suspicious Location | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f98973bb4e1b72aebf2e59eaeb00827a358135f7260cf198ac43e31c7422e15b | 0 | 0 |
| FlowCloud Registry Markers | NVISO | Sigma Integrated Rule Set (GitHub) | ac4c45d3a4b76d63ba2158cb0a11df8d1e2733506cb845e78700108737b600ee | 0 | 0 |
| FoggyWeb Backdoor DLL Loading | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 668c7b595f169cd509eb51c29bc594ff624919395214381e2eac4fa7ff9e94ac | 0 | 0 |
| Folder Removed From Exploit Guard ProtectedFolders List - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 844e2d6b0a1d8c2344987f279782a4311585180ce7fe178b164a8267a982215e | 0 | 0 |
| Format.com FileSystem LOLBIN | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9e9f93dcbdb926c3870d61f8a14fc94391072517d56855658b4592a4e886289c | 0 | 0 |
| Formbook Process Creation | Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | f260e0e6e3999276169e5a2b9378f676cfd85254be368003b2cd97e7d6b10e14 | 0 | 0 |
| Fortinet CVE-2018-13379 Exploitation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 48f4e640f9feb5bf31487a870784507ef5f7d38f22e9b62e9bbd954a197833ca | 0 | 0 |
| Fortinet CVE-2021-22123 Exploitation | Bhabesh Raj, Florian Roth | Sigma Integrated Rule Set (GitHub) | c1c52f5ba98a73c39c7b7d859118c45a22218d1c92dbd128e54bcb34942092c7 | 0 | 0 |
| Frat Trojan (Loader detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ea1d6297c25d9b1788bf0e9bb1ef3fe785a4ced33855144d3102a01fd227049a | 0 | 0 |
| Function Call From Undocumented COM Interface EditionUpgradeManager | oscd.community, Dmitry Uchakin | Sigma Integrated Rule Set (GitHub) | 87990351a4e0cbfe8406a67a021f9d9da456c915388fde098e654a87ba123617 | 0 | 0 |
| GALLIUM Artefacts | Tim Burrell | Sigma Integrated Rule Set (GitHub) | 13e966f80ac9708db929626d50e35b4c614959c0d209d09425ff454546ad372a | 0 | 0 |
| GALLIUM Artefacts | Tim Burrell | Sigma Integrated Rule Set (GitHub) | 4aa39f58ddd2f2f3bdd80a29f42c84ca2fe61a048fc8819faaff5df28a22b7db | 0 | 0 |
| GALLIUM Artefacts | Tim Burrell | Sigma Integrated Rule Set (GitHub) | 54e36ba8fed69643d4a587cef4fddde07614258a1c1996ed0c958450ccadf258 | 0 | 0 |
| GALLIUM Artefacts | Tim Burrell | Sigma Integrated Rule Set (GitHub) | a28fbac5cff189dab10e229b3a0ae2e24b372d2b111d7262fd83043e661ef513 | 0 | 0 |
| GALLIUM Artefacts | Tim Burrell | Sigma Integrated Rule Set (GitHub) | a43dac5f26c85a94239a74415d13e774debdccd841db311740a5727d95a105bb | 0 | 0 |
| GALLIUM Artefacts | Tim Burrell | Sigma Integrated Rule Set (GitHub) | d1012f082becc4692509094f0b3f52f4bfff06a6a239d05da80ed461dad4a230 | 0 | 0 |
| GALLIUM Artefacts - Builtin | Tim Burrell | Sigma Integrated Rule Set (GitHub) | fc4bbb141d939f93ce4dba43aa3b43e635f4dda080c5e27ee58529a1563dab8e | 0 | 0 |
| GALLIUM IOCs | Tim Burrell | Sigma Integrated Rule Set (GitHub) | a850462e96a471d0210fd57a8d09b89aa9d484414bb317ed6f8dfba6bfee5d84 | 0 | 0 |
| GCP Access Policy Deleted | Bryan Lim | Sigma Integrated Rule Set (GitHub) | e572872e6eb3050c9db82455e71711d2df7eb1225c6fe6cd221b79d724593d9e | 0 | 0 |
| GCP Break-glass Container Workload Deployed | Bryan Lim | Sigma Integrated Rule Set (GitHub) | 04c15ed05bf4f34d39c9e1b02fc99df0231f06a70ed3526d0257accf3c68108f | 0 | 0 |
| GUI Input Capture - macOS | remotephone, oscd.community | Sigma Integrated Rule Set (GitHub) | e8a715c11ff2888a95d902af6f79e1e2aac74e027662e679bf2d24be5d33ec77 | 0 | 0 |
| Gamaredon Group Behavior (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0f97ccec7b149884820f61a172664b0ab480111696291696cb4b3e7ae011c34f | 0 | 0 |
| GatherNetworkInfo.VBS Reconnaissance Script Output | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5f1aa9107847a653b477de036cd6fe4554fefaece9391933190ae26efa11b974 | 0 | 0 |
| Geofenced Ru | Joe Security | Joe Security Rule Set (GitHub) | 562da91a76462659002a010f3f5e20f6ea8d3c7771e342dce7b3d0b5b2421eb8 | 0 | 0 |
| Get antivirus details via WMIC query | Joe Security | Joe Security Rule Set (GitHub) | 6e2720fef4d33bcf8ad643d1ff91ff392e3afc91ad4446024cf5a4dfa46685aa | 0 | 0 |
| Github Delete Action Invoked | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 2393e46daab9f09031e88196f68613af866a9ca1aa3fd0ad64df7a1b8c6ef250 | 0 | 0 |
| Github High Risk Configuration Disabled | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 9060774ab189fbb7714c52f872af3eccc8401149cddd1a1fdd476025560771f2 | 0 | 0 |
| Github New Secret Created | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 96a8d14b1f85567a30ecce1ed8fc5f5fadde8b645e14ad8d3fd20faa71b9cacb | 0 | 0 |
| Github Outside Collaborator Detected | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 61f3b704053032dfbd12b0550e20b30a1e52c176782ce45c9e97b07d051d3356 | 0 | 0 |
| Github Push Protection Bypass Detected | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | bffdbefd4df124a9762cc97d6c4cfacdaf6de0e7698d4437ac154cb34181b482 | 0 | 0 |
| Github Push Protection Disabled | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | e43bef8a91112c70cb37e124cc46737803f9e6385431efa9c1cdf45276053ef2 | 0 | 0 |
| Github Secret Scanning Feature Disabled | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | e170a27e21f0d7a68dcc419d09f2dda220ee052875edc19bb09ae9ae272821e1 | 0 | 0 |
| Github Self Hosted Runner Changes Detected | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 91f38ae169a00a9b9830f37c3fa50eda9d6fc217915d9bdc4a459c459271f975 | 0 | 0 |
| Glupteba malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7d6a15e8de84af0efc173edd7fc1d08b2c8d250be90a41056ded2b99d918271c | 0 | 0 |
| GoToAssist Temporary Installation Artefact | frack113 | Sigma Integrated Rule Set (GitHub) | 4275bccc48045a2afcc6bf9a3951c7e3af2c2408a4caa5374a42604084bf5886 | 0 | 0 |
| GoldenHelper Behavior (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 85d7d4821cc1ccf999a9455b3045c5778b716b7140209df1e1293db41bbc0bea | 0 | 0 |
| Goofy Guineapig Backdoor Potential C2 Communication | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 221d8ea063304e5fe1c7eec941ecc45a755346e1347f4650f38c494abdf34630 | 0 | 0 |
| Goofy Guineapig Backdoor Service Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 41d5bda45fc2273a0463327357488936070b64ec52567420b93293a5256434fb | 0 | 0 |
| Google Cloud DNS Zone Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4e9fe08e5c9be680bfaf33cddcd1081cd3aba686ce5077b1cd0b5856663dbe0e | 0 | 0 |
| Google Cloud Firewall Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 75e61beb3d99547100af121b2ea1688aa808d3688450d44d493780d2cc802900 | 0 | 0 |
| Google Cloud Kubernetes Admission Controller | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 5790f7e831d8a6bc3ca5c218539243db16d6289b537af31c00d082fe78ed2c01 | 0 | 0 |
| Google Cloud Kubernetes CronJob | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 06da8a78620eee29e603c816960eae96dcb6ef22786be2395c7c89a4483be9c6 | 0 | 0 |
| Google Cloud Kubernetes RoleBinding | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 555a6561c2563b49ce91769c6ac3f56617339b3b8813f72c9fa1bd32ec71f74e | 0 | 0 |
| Google Cloud Kubernetes Secrets Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 6ee389129056d76efea184ded09eba9cf1c324f400b3d0d50b87786d565d0e03 | 0 | 0 |
| Google Cloud Re-identifies Sensitive Information | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ddff51832fbd0426593249f7816c2949713da15d8f5f43d7bf73dbe4402ba1c3 | 0 | 0 |
| Google Cloud SQL Database Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | a916fae3b74465ca20244fcbd2427d10e602ebd5bd23e20c830516535a652466 | 0 | 0 |
| Google Cloud Service Account Disabled or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 5162849b0852d05e10e767dcf89c82633c89592c636df59cea0c8d66143fef63 | 0 | 0 |
| Google Cloud Service Account Modified | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 26b1499ccf7a72e494ae575cfa25674e193d0d80f0ee981977d65e518bf7575f | 0 | 0 |
| Google Cloud Storage Buckets Enumeration | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | f5a9b68010504eff3ab69d1406d28ce83a81c9b2399b5424d60221ca6c707c08 | 0 | 0 |
| Google Cloud Storage Buckets Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 432ac1fb76a98caf7e4c2c36dc767867c71c8241b3abb88c238e09dd1dd6eb52 | 0 | 0 |
| Google Cloud VPN Tunnel Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 1ec92cc5b58c4d0aba97c210716e4f4a0e3bc4148bac041b47e830680b25de8d | 0 | 0 |
| Google Full Network Traffic Packet Capture | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 11db866a2c986c2622afc6b4e18e39a469b925ba219af228e1b93928526e7317 | 0 | 0 |
| Google Workspace Application Access Level Modified | Bryan Lim | Sigma Integrated Rule Set (GitHub) | 6dae7c95a6c818754ee8289f9c731df89fa58d1c57b5cfeb8ebe324662394881 | 0 | 0 |
| Google Workspace Application Removed | Austin Songer | Sigma Integrated Rule Set (GitHub) | 7aad3ceec393171e628be57ad1507a50aaa34f68bfa8af505481b9406de81834 | 0 | 0 |
| Google Workspace Granted Domain API Access | Austin Songer | Sigma Integrated Rule Set (GitHub) | 7447e9cdd0e5729172c1c9f7143faf9ada51a1e939eb6100d7066e46913117c5 | 0 | 0 |
| Google Workspace MFA Disabled | Austin Songer | Sigma Integrated Rule Set (GitHub) | a6f7ea87e017ce01123928b2e8c2bee1808d90c322c0fe3f8660c929ed149b5d | 0 | 0 |
| Google Workspace Role Modified or Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | a941017b4f691cb4487bac97de7b0d0a9649ffd6b3f402774dde963b3e3ecdaa | 0 | 0 |
| Google Workspace Role Privilege Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | 9eb6ba62c47e14ada70fa08f7edc5aeb9118c433612b3feba5a7ce44fc77a909 | 0 | 0 |
| Google Workspace User Granted Admin Privileges | Austin Songer | Sigma Integrated Rule Set (GitHub) | 107b17aa4a3574e6f295747881192bc95a741ad7258df4c3d1abeb9bcd9031d5 | 0 | 0 |
| Gpscript Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 45153582f129faf9609ad25ea3a78eaa40fbe940f22dea7bed5c95cda5690274 | 0 | 0 |
| Grafana Path Traversal Exploitation CVE-2021-43798 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e5ef12864d0d0ecf036674826506d6184e1b067e991808aa0e1ff455c7ac0dcd | 0 | 0 |
| GrandSteal Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4f31c3fa158f312c5152f83df386b1fb92e53b215040fb3ae268cbb215e31429 | 0 | 0 |
| Grandoreiro banking trojan | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 43c3cf1aec99bd2e109fd3867cd77e17e8a24f54da3251b30dd592cf83272b56 | 0 | 0 |
| Granting Of Permissions To An Account | sawwinnnaung | Sigma Integrated Rule Set (GitHub) | 2c4ab12457b78f88ac5191037416703011e6de4aa39693b09e20823de2f0f42f | 0 | 0 |
| Griffon Malware Attack Pattern | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb04ae1086b0cffb1e38657aa6a4e604a568498622ef2377f8748cf52d2897be | 0 | 0 |
| Guacamole Two Users Sharing Session Anomaly | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 17fc2e35d07c0b3986643b473df8b54cf3371854ed30f7d65fe415a944ba6961 | 0 | 0 |
| Guest Account Enabled Via Sysadminctl | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 836f4e53e8279f1027fc598ba6a8963ba1a675e9ba8028fa77f9f8a16fe75499 | 0 | 0 |
| Guest User Invited By Non Approved Inviters | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | a6d1a27258a4f9bd7fe6be079c7ae0dd1e173a04375cbd8db203cb59a73084d9 | 0 | 0 |
| Guest Users Invited To Tenant By Non Approved Inviters | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | 89b61ac9a2defb622e714dbe29d0a4a21419a634018ab9cf31c1307c3148ef32 | 0 | 0 |
| Guildma detection (sysmon and cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1e6ac5cb97a765bdc2b15c1ca55ec978b04d9511ddba2126304966bde1b17fde | 0 | 0 |
| Guildma detection (sysmon and cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3394ac20f81b6dbd77a611e1dfd1c52794b199583960710ebc28c01bae3a27a4 | 0 | 0 |
| Guildma detection (sysmon and cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 667f076dcfacae04c8fada9e9046abae794a581bd995ec39a741752bd4fadfb4 | 0 | 0 |
| HAFNIUM Exchange Exploitation Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a53120d1ec17fbf608c6da8cb88f544b76206e830dd4ec17155f718bf5851d0f | 0 | 0 |
| HTTP POST or PUT URI Non ASCII Character | SOC Prime Team | SOC Prime Threat Detection Marketplace | c4ee6e518d8bece54b732fc5a27bd8515ed478d3f31681891fab56111b6ca18f | 0 | 0 |
| HTTP Request With Empty User Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | db3df2f3bab9e0691c10d2f198c0eed1ea877206a8230962360652fa37013d1e | 0 | 0 |
| Hack Tool User Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9645aaedf8ece3691433afeb39dfddf3048958fa600acc234a56f522b4f41b8e | 0 | 0 |
| HackTool - ADCSPwn Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 945059b9924f612aec04c225310cee7009f0951805322568a62ebbefb71e63b0 | 0 | 0 |
| HackTool - BabyShark Agent Default URL Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 65fc9733e96d5061d9c0158d5e935ee4fb89c6a3d5981ed3e2ee6eba8d7931bc | 0 | 0 |
| HackTool - CobaltStrike BOF Injection Pattern | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e1f2db3ffec989759e5467440cde906de0dd4aa563b137379e91daed32103267 | 0 | 0 |
| HackTool - CobaltStrike Malleable Profile Patterns - Proxy | Markus Neis, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1ac8214130ee6892f0f972ca17f84291d8a508e920ffe27c46a0b4a746cee622 | 0 | 0 |
| HackTool - CoercedPotato Named Pipe Creation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ab5e3f496e3b74fa0ec5c3bf3146a05070e9b6df7fe3f7d84271fd418d67741a | 0 | 0 |
| HackTool - CrackMapExec Process Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4d3671d81efce4856adaf6c7f15a83dc288ad1d46f99f88f75626af323c6003c | 0 | 0 |
| HackTool - Credential Dumping Tools Named Pipe Created | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 9eed77c2ef05fafded05e61ec71d8bdd695696543061ef8b84fca37d1606484e | 0 | 0 |
| HackTool - DInjector PowerShell Cradle Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 10bbdc113d1dc5813708dd95928a8d1a38b22ab4b85bc027daaf8ac7aae65c9b | 0 | 0 |
| HackTool - Default PowerSploit/Empire Scheduled Task Creation | Markus Neis, @Karneades | Sigma Integrated Rule Set (GitHub) | 40b130caca0f58482d7bae973cb51c3d6c7a02a91a7f448a1c19eb96333f5a10 | 0 | 0 |
| HackTool - DiagTrackEoP Default Named Pipe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a64d5075ca8a68f98e37b952659116501a5fca9bdfa256bec6ee04447d1726b8 | 0 | 0 |
| HackTool - EDRSilencer Execution - Filter Added | Thodoris Polyzos (@SmoothDeploy) | Sigma Integrated Rule Set (GitHub) | 0a28891154bee6a4bc8a1bc98a35fd1894e9490e988b8278c52b365f6849e5fc | 0 | 0 |
| HackTool - EfsPotato Named Pipe Creation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 33bbc287fcdff32099d907d122b96db06214e7ef12bdbe38cc574df4fbcd94ff | 0 | 0 |
| HackTool - Empire PowerShell UAC Bypass | Ecco | Sigma Integrated Rule Set (GitHub) | 82469a7e6790faf9f415ad43cdf63ae3c4665bc5c9336e489f310de170797ea9 | 0 | 0 |
| HackTool - Empire UserAgent URI Combo | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2f9a27d9a32a1db53d0ad914de9cc96ab6822811498c2464c72d7ac1ae5ea6c8 | 0 | 0 |
| HackTool - F-Secure C3 Load by Rundll32 | Alfie Champion (ajpc500) | Sigma Integrated Rule Set (GitHub) | ca26332fee8f2e589029cf0e8f2b212bae02121915a9cc3a2cefe4c1a96419c1 | 0 | 0 |
| HackTool - HandleKatz Duplicating LSASS Handle | Bhabesh Raj (rule), @thefLinkk | Sigma Integrated Rule Set (GitHub) | 574231f662f39e1a462346540302573f5eff2cb0b05a9343ce362547a729bb8c | 0 | 0 |
| HackTool - HandleKatz LSASS Dumper Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8271f85045f41986bde13394d9c0e7f7b1c1f3fc4a5081917fab66e6910de138 | 0 | 0 |
| HackTool - Hydra Password Bruteforce Execution | Vasiliy Burov | Sigma Integrated Rule Set (GitHub) | 5f85313e54e037d0a06c79adac1b8bd95bf5684edfe87bb3f3f272501e30ece0 | 0 | 0 |
| HackTool - Koh Default Named Pipe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 842f5fc58659b2e818a0949c0efb8e6c8107aad092d5c33548e4ae9ca5e8b5e2 | 0 | 0 |
| HackTool - LittleCorporal Generated Maldoc Injection | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f10b695dfd304615f49826a39fd11fb539271f8272a9a80be8f070a758f8f025 | 0 | 0 |
| HackTool - NoFilter Execution | Stamatis Chatzimangou (st0pp3r) | Sigma Integrated Rule Set (GitHub) | 83c1fee5d3f0a30333e726ee57260e50c629c03c36a1e6cfbb905861f9aa9cdc | 0 | 0 |
| HackTool - Potential Impacket Lateral Movement Activity | Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch | Sigma Integrated Rule Set (GitHub) | 3d5ac2209c46a9cb869f82a51ef7ec32954bc3ca32fe710929ac41137e9f7957 | 0 | 0 |
| HackTool - Pypykatz Credentials Dumping Activity | frack113 | Sigma Integrated Rule Set (GitHub) | e9fa03c18cdfe5568dbbe75862d4ab693fba40025a197a2021d576f54e3eaf76 | 0 | 0 |
| HackTool - RedMimicry Winnti Playbook Execution | Alexander Rausch | Sigma Integrated Rule Set (GitHub) | 2c7173d7fd6c440ff57e03f67e736353c0d299567579d74292ce79ddb87df5b7 | 0 | 0 |
| HackTool - SILENTTRINITY Stager DLL Load | Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | 982e0890a488328656147907a9d7da438f6a9b5f133b90417b42dd585d158a15 | 0 | 0 |
| HackTool - SILENTTRINITY Stager Execution | Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | d6d031ceeda5d6a3d7194bd6ec4d67e5ffb9cc743448939fdf278463bdd3e686 | 0 | 0 |
| HackTool - SharpEvtMute DLL Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 088c5e93a6fc8d47e8aefb1c8a6ec0a9121dc88b06d12d5afc5d1fce763d7976 | 0 | 0 |
| HackTool - SharpLDAPmonitor Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e45b16fd030f52e69c512e3570de6d000efb8a0e03c4073637e04aa773354410 | 0 | 0 |
| HackTool - SharpLdapWhoami Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4d8c1119b99b2be0533b5c4e1874458c9062d923070ac945a5c5a33dde33f486 | 0 | 0 |
| HackTool - SysmonEnte Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d76fa45ff73052fe0c5306fe21e260c983e615a85c7e7f60c649361b1829b09a | 0 | 0 |
| HackTool - WinRM Access Via Evil-WinRM | frack113 | Sigma Integrated Rule Set (GitHub) | 5ad71f4134dddf8bef6aed44120ca9d774108b3c4e8b7e322ca38e989a8cf176 | 0 | 0 |
| HackTool - Wmiexec Default Powershell Command | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0dd0031606f0639c042c9ad5ddc567446c4ded763ddee51e079179231c557209 | 0 | 0 |
| HackTool Service Registration or Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3057e0a4efcaf39794e0b634e3b7516983648b9fd483da5f9f735a5c5e61d415 | 0 | 0 |
| Hacktool Ruler | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cd304d70f67c3d14033f831971d45bee3264cc411ea28209db2f6d148ea9f2f6 | 0 | 0 |
| HawkEye malware - Coronavirus scam (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 06789be682ab6cf58699c03653b66c7f9299038c2c44e967e3c68a2e40fdbbdc | 0 | 0 |
| HawkEye malware - Coronavirus scam (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b7f993191f989d1f86bba4825f6e96a7c27e80b1bcdbf6ed6478ae89239222eb | 0 | 0 |
| Hermetic Wiper TG Process Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c8367923eee3d294cbbb06eeceb57cbe0b7a0614928e3e45a857da496c12a7ae | 0 | 0 |
| Hidden Files and Directories | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 6c95803fd57ca93faa4a13a1be90825b893e3d84ac45ca8c70e80cf1574d4028 | 0 | 0 |
| Hidden Tear Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b11fac69696a228f0a15679f595df7b336dde8d11522e2dfdd9e1004aacf5721 | 0 | 0 |
| Hidden Tear Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e2c2e16d85599543e91b4dc9d25bd09e1b1ba61cafa1810a31073a40c91da39e | 0 | 0 |
| Hide copy and delete itself | Joe Security | Joe Security Rule Set (GitHub) | e491fecd17c16aecfb3b5ac96288fcdcf7c8ec061a8b1649da4e907b511f1208 | 0 | 0 |
| High DNS Bytes Out | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 2bc3d95bf98633de61ea95a005c1b04db78ea390377ce363fc04a09d20374cde | 0 | 0 |
| High DNS Bytes Out | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 4e81552b913384840b8f3b631ab5be105841ff6a829f1a496fd1e3e13effafba | 0 | 0 |
| High DNS Bytes Out | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 5d26dba8fce23cc9f2e893e61faa96cbbae4bce1e530e4154294172451e4a1b1 | 0 | 0 |
| High DNS Bytes Out | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | a958051334fc197d28be902cc93f3d866e1ca9a16f90a70f21bd60a2f47fbc29 | 0 | 0 |
| High DNS Bytes Out | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | db7861630c3853feeea696d711f739104df19b415fd9ba6c1a8fec46002a8fbf | 0 | 0 |
| High DNS Requests Rate | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 16b85da18d9082b3b4511ae7d959fbf89409bb88f17d708af4f48b0a422adefb | 0 | 0 |
| High DNS Requests Rate | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 2082aad99bb35c4089a7d806951cf7090bca3bdeb0a052f761dc38d878e58c57 | 0 | 0 |
| High DNS Requests Rate | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 4d753950eaec7ac9fc0b84352b52a7d1e44cd4806bded593087c93032ce8e29a | 0 | 0 |
| High DNS Requests Rate | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 888de5606c7898a641ac0f06071d731769cd6a0c2a8638b9bd65e4c7832b4a8c | 0 | 0 |
| High DNS Requests Rate | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | fb55eac70ca85e41bd6aedae03e77e21466cde4d3e05bdccc80080c9df288d8f | 0 | 0 |
| High NULL Records Requests Rate | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 85891d3694d60dcdc316d135514866fe396add3b76b77fb7cb7757ce6012957c | 0 | 0 |
| High TXT Records Requests Rate | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 27156cd3bf11019c9f610f2ca55106a23d64717f78b7db1730a6b20daae7fc23 | 0 | 0 |
| Hiloti Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 66ff25e9989ce9c10959062d94b9a42964f9a4b9a8fd8a2d4ac868a68139315b | 0 | 0 |
| Hiloti Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6bb0fcaf34349cee860ba3a315fdc7aed5aa00d66dcf54cae167073a246cf851 | 0 | 0 |
| HiveRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 030121281d0e4b69a504d82c281cb7406b2d3e2fd7ff8497648ea7198ce49781 | 0 | 0 |
| HiveRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1542db80b3c0353f1a027f7ddd3b1a2980335d4ef03fae03a4f951743f67648e | 0 | 0 |
| HiveRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bfa9006c02a3c62043c1bd4c10f77dd29fc786bc22855e00928082034c4307cc | 0 | 0 |
| Host Without Firewall | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | b27d91650a86f43d59ca651fec4af5b7b4a87e4b4d5b89b819a3aa69c312b60e | 0 | 0 |
| Huawei BGP Authentication Failures | Tim Brown | Sigma Integrated Rule Set (GitHub) | be7ac6e767527eca7b2258278be7bdc4efc00f5c296740a197b7ca7ce099f0ee | 0 | 0 |
| Hurricane Panda Activity | Florian Roth | Sigma Integrated Rule Set (GitHub) | 0595fd00a8b7a34a40b618e9649d81ef7256ae0a3b3ceefe70821decfce1feb7 | 0 | 0 |
| HybridConnectionManager Service Installation | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 517263a8c15fed9ded106be882b2ec39dde9a02250421088d9b2a222e1516406 | 0 | 0 |
| HybridConnectionManager Service Running | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 711a6c8a033fd8cc45c82ea8fdd9a7b6f95b70c88e157d2d67579ce7dff11b76 | 0 | 0 |
| IIS Native-Code Module Command Line Installation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cc3ea4eefe5144350cce95a37a83b5a54cb1c3588b6a08901eb81ce60a358d20 | 0 | 0 |
| IIS WebServer Access Logs Deleted | Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2bdd5fc78153ede4a985b002b6ea2531d1354c62ac4f2e9818ca322fc5f79a71 | 0 | 0 |
| ISO File Created Within Temp Folders | @sam0x90 | Sigma Integrated Rule Set (GitHub) | 8c28faacb89d5c3cbd177e6768102f76073d1af8ab937c6c782b8160a9790f51 | 0 | 0 |
| ISO Image Mounted | Syed Hasan (@syedhasan009) | Sigma Integrated Rule Set (GitHub) | e6b3709b80b265ad0fed3cb1ec046dc0b3dfa6eba361f593c53333b71c662136 | 0 | 0 |
| IcedID Downloader | Joe Security | Joe Security Rule Set (GitHub) | 967066367d1b4b6d60bdc3bb6c06da99df284842490e627971ffc36d72138e44 | 0 | 0 |
| IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6842d649ac9e8d7845bb2486a1935fc49c1697141a58b27bd823145877d9243 | 0 | 0 |
| Impacket PsExec Execution | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 3f02ed054f271ff6065ad30572fa0e95c2bd16820da55d1ad40d10e8fafd0eca | 0 | 0 |
| Import LDAP Data Interchange Format File Via Ldifde.EXE | @gott_cyber | Sigma Integrated Rule Set (GitHub) | 4895f0d6f0337794cd64b63d68f316d2ed34403f092d4a1b8b7c8a07d10bb0a2 | 0 | 0 |
| Import PowerShell Modules From Suspicious Directories - ProcCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3636d6960a4fdaa247a9229c6977343b5935aaecdb369c47b5d06a5ccf8edd9a | 0 | 0 |
| Important Scheduled Task Deleted | frack113 | Sigma Integrated Rule Set (GitHub) | ced7d7ecea464da8a488c81ba6cd1c7f6c4456f43c031be05fca12ec47619c82 | 0 | 0 |
| Important Scheduled Task Deleted/Disabled | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 37d960245680a83696c37572fed47a760ac9f35e3d7f7384d84013ddb80ee6d2 | 0 | 0 |
| Important Windows Event Auditing Disabled | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | edadad8f74e960e4e4346a92c4fbd62433e86a86aaf6075226454180e5ba37ce | 0 | 0 |
| Important Windows Eventlog Cleared | Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d2b78f97575e285485f323f331b7e24d482365d4a529def31a351c4d9e11c7c4 | 0 | 0 |
| Important Windows Service Terminated Unexpectedly | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 46a808aeb4d234e65bb076ffefe72a0a9e2c18011ffb83e1116965b8b8403fb1 | 0 | 0 |
| Important Windows Service Terminated With Error | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ee70a48b21b9af9ef284435a98e6bda46175802c92002d2431729c7238694e3 | 0 | 0 |
| Impossible Travel | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 0b79acea2d3442c85023d0bab300d9e1159fd611b0c6ab96619ebd6dc7ede589 | 0 | 0 |
| Increased Failed Authentications Of Any Type | Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | b903a8d9dd8b43b85cbd8c2467eb5723ff3cba5be621a5ab5bb5e0deff92f304 | 0 | 0 |
| Indirect Command Execution | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 949493fff309832e61eefbc1517c38dc21116f3e97310be0dfd27ee7544382e1 | 0 | 0 |
| Insecure Proxy/DOH Transfer Via Curl.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 898a6c63c0232e151811e296ca93ef77ed035a4c7ac8c63ff500ec2bc5c756ce | 0 | 0 |
| Install New Package Via Winget Local Manifest | Sreeman, Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 12f03e6b0e193a0311b8fdfe379fc617a6b5ec4b6afd3fa4e2f8b3f1eb8774e8 | 0 | 0 |
| InstallerFileTakeOver LPE CVE-2021-41379 File Create Event | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0c213591ac3b9d67559c62e06f44e984fa9cccd8eadc7126488916b8f112271 | 0 | 0 |
| Interactive Bash Suspicious Children | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 307bbe63ed2d150b908b15872d2d0d219c8352a56dd41050e8e410a8d2e45ddc | 0 | 0 |
| Interactive Logon to Server Systems | Florian Roth | Sigma Integrated Rule Set (GitHub) | 287dcb23b97461c15bc628626d410d7134857f2a8a73b5867709120813e47c17 | 0 | 0 |
| Invalid PIM License | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 4fc936c9241641df392c8906580d670a9367d1bb2d0544daf8f6694c6f36d526 | 0 | 0 |
| Invalid Users Failing To Authenticate From Single Source Using NTLM | Mauricio Velazco | Sigma Integrated Rule Set (GitHub) | bd35715e77f17842c47f4bd45fb125c2aee1c533dadb3de025a01b53ccdc7464 | 0 | 0 |
| Invalid Users Failing To Authenticate From Source Using Kerberos | Mauricio Velazco, frack113 | Sigma Integrated Rule Set (GitHub) | 24e430c06c4928d27c8c23097b69829139af8fce404dbe51f3b1a45cfe4c963d | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 55d070128f8d768c5650c81c573dcfbad37b719f2e5b4c2e508c2a7fde28c9ba | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 66ae2d866adeac92a15a12e31d3a3be37036f330111ae0f3fe3b7c895374ede1 | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 66f7192930e6691d3b4ee72b4a6351242a104911c34cc2e563539db593bf6bc5 | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | a4095d2245c467d53d473d6f0b5664e6043544a19c73bd87d555a5316ada37e7 | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | dd967df044da70a0ce8e3d0766de79d0c1392ca968e6c1f2755dc95b76062a7d | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher - PowerShell | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | d9fcc5b01474c94f013105b532ce885ebb7d8cedac210ff18bb921bd350afa1f | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher - PowerShell Module | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 61b487de335dac84b1a9bbd3816d5111cabce315463c02cb2953344caca3cd95 | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher - Security | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 07b20a8191672f390880af0dfccb1dcb42df51d9b0e0e5b4f4a34ae2636c385a | 0 | 0 |
| Invoke-Obfuscation CLIP+ Launcher - System | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | bc4b79447cdefa2382da736b3a63a3ce5a01a6400ed11820db5ee38b981e2e34 | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 23d33c003cb0a2893d558ec9fc1f759265b5200122f0155a81fd6da5eda7cb4a | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 2abb23702384c2980e4ffe0dd690fcd4ba17539c7c79c6718252778eab17fcc1 | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 30afe98d3f1fe8511eb6a67ad5f0d954762e3ae473d2c53b390482613c6afe8e | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | b5835a1f1f607f7c9b2995761947f379ab9343ac06637ece5caf60435a682e6c | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | f39f375a39ff602aaeb463af7e29f879cf1e2728e1bfd0ce46c68ce463d545c9 | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 40db318f5624034dad47f954fe3a2bc47f2e09bc7d14e2311481d406665bde6a | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | eacdd56ee69da6ba92a6f01f7d2cb4022f9ffb08eebd0a09a1e17012fc9f3307 | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION - Security | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | dc78b6b33628aead1fdeb14c4a18756a01373ea62b8d5462c0c12f0dc5dc8be0 | 0 | 0 |
| Invoke-Obfuscation COMPRESS OBFUSCATION - System | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | bf865a7d8524d34ec2fcf366103b431319a364992070da49982bf7a6bf68fcd2 | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 02563551ca2b811c4f5ebea13242cffde0a8e5d1dbe9578a4e836117c3344457 | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 532d5adca424a8a32820d44f658dea5035219510229a38ea885eea469ae8f8a7 | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 6e2b0909c3266faf43a0917df01825825b4ad958d6cdaa0a45c9cfe53e15affa | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 7c97dec04489c3636dd72432f11eeb579854a1d03d55419bafb059e73e43dd4c | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 89b3cbec0ebda2750669f9b5831ae50fb9a2e58ba9d9ecb76d82c553dd9fbaed | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 978e8ef0c97aa415779127f1b750df3d71553c0ed2f593b7499f7213094b8a22 | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 6e503c48dbf119e0821aab4c7ebde353e0b781363fe0c88ac53e10fabedeeb33 | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation - Security | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 229bed31b945cf52d288e09e87afafe82ddc418cc89ac78e4aa57bb1505f4e17 | 0 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation - System | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 778d34341a09f9942b6754b257881e32f43e5eb36c396c5a7bf385626994b6a3 | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 15e77f32f6ce577059ce2a023014f97f6166500fe342a790642abbb2d7524dd1 | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 5092dd88f643768409b7b033996ae9886f7916c352f876f58742e741c818de58 | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 513a8ffd6dffc7c0f80d19848150c2e0de524c7115a18106ba96a0d789b07e1e | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 669e0fa4f936ba08d94a0d94b4ff0a17a257f5b85f14a70e608f1804ef1226ef | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | b81cfe0479a3286d77237d8297165880ec1fbe3652ad795ceb1abaa1eccb8d0f | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | f4b87782d8c00059afd020eed2b619da907273f77ea5c3ba678a81e4a369045e | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 36d028c2bbec04da64cd22e6d7ade29f0485073c4f2a33748b660bc41add11c5 | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER - Security | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | d304bf8af334b938ef27fc29de6beeba9510de9abd801458029e2aad0a96a430 | 0 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER - System | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 013f9f3361dd5e5e166cef93640767e854c135731f7b10a6e86a582e2a3da454 | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 33f26be0d86ded162f5f9983f8ccec7e33739e7d61ce1550a476f8d6d9fb1585 | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 3c63fdf3c3489825803565ebef9d7aa5574b069b7df909431ca0cd9bbfff1014 | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 5a405d8959e0dbe9e8c85da1ee53bb94a514c82a1c85543bcde6cdb5fa6c8d81 | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 7c91efe9f8bcf7588b12461abfce94d9de990787f00ec01fdc0378b6d0ea5f7f | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | f46e368df2720b7c679c6d8a7af787029a555248b2a687d244934f424619531f | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher - PowerShell Module | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | a48b077866cf1527dd61081ba5998bcaeba2f75f76f2b644f786592b048ccc42 | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher - Security | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 21fb91a013d99fcb0a512f126e1db671d61521863baf20148369276f4ce90a79 | 0 | 0 |
| Invoke-Obfuscation STDIN+ Launcher - System | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | e65f5089591863acc7d1b0724c258c83ed40c7f2ef5a4d11da364c316768c806 | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 37472617d726e65dc836731e68fa4b615e3453db5924b2ed694f6d42f3fa2e7c | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 785b999a59eeb49c52b8de6db77180b2f32a1c32f55c5a66124df629511ee71e | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 85c1b5321d15597e6d632e33d628537f69719336ffcaf3486716d44dc6a94690 | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 9fac765a1fc90df763e78970562f2ec88d72f5a1b755dc6922c9df6f6b3283a3 | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | d5a5398fc7d4724a6543cb1b92710954d8f52105738cb1bd31d2db507b433082 | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher - PowerShell | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | cf80a5797b65d0aae908c9fb7bdd2ffdf5cdbace0b8e61a02320a61266fddbce | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher - PowerShell Module | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | f0ed779291914bc6744829d783902b1aa18afca33fcdce512a6e6dcec594b8fe | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher - Security | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 9e447b626bcce83fc27a2087f918f28e255669c87d60b118fea3f35a6276ace9 | 0 | 0 |
| Invoke-Obfuscation VAR+ Launcher - System | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 46f308942e8413fc74d14eb28362c26efc33f463b1d70394188e9cc50989434c | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 43fda3b4b26f2d722e172affac6a534e640b6f690827cb80f27eae7bf1121924 | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 56d1f6c5dcbbe1fd4ecdb87028f432b123ac0cf5fe37a336f0ed6c34521f370a | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | b85a3806145ca2440f6e4328faea04b4694be6c4dfad9550ca882b91babed162 | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | b95438303858dee4a1b7686bca97ba3c32d14bde4bccb73cd0cce0decef9cb1c | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | f80b47791783e7ca801863d05a76bb83fb2ae70b2dc9d18a13fd9db9172baf46 | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | ff49fb699dd54313f9d61a9bba7e0c0021f31cf6bbad67452754dffe5f1a87f2 | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | ac263989614ade79cd7024eb73729ba0d899416a4618b2b37f9fe886b6ae1ea6 | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 23598265f485b73118223796eab6ef3d4710b6c7855ae76fe8ef5e3156537361 | 0 | 0 |
| Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 9b7f8d96a709f458ef164dd0c2b1c0bd21506b6a9292710e95e822b262716fc0 | 0 | 0 |
| Invoke-Obfuscation Via Stdin | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 171e9c19da7073d50de0611f10f7fe49f18e33f0eb2271f1451e3122dd70da39 | 0 | 0 |
| Invoke-Obfuscation Via Stdin | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 4c4b43817f5f5dcaf3aadb0e508301e535f4809ca042fa2cec1ae56068e38683 | 0 | 0 |
| Invoke-Obfuscation Via Stdin | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | b3a5bd1f34b26d6c54d45604acabcec5814c2c266d0ab0547c722d22583b78e8 | 0 | 0 |
| Invoke-Obfuscation Via Stdin | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | bba8cd2d0e60c82277d0117e4841b13ee087cacccbf6b9bdd7d3c83f0375582a | 0 | 0 |
| Invoke-Obfuscation Via Stdin | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | d9663bea4419d4e77af5748add1d59d90a3c136f0100ad05f55199c8b38636f0 | 0 | 0 |
| Invoke-Obfuscation Via Stdin - PowerShell Module | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | ea2300c5e8a8dfac7a21e289614c34963c361bffda74ba0ddba16af4c009a74c | 0 | 0 |
| Invoke-Obfuscation Via Stdin - Powershell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | e6338468914bbd534177587d16fde9881596bc9d1ac95c3a142e76a6d587e32c | 0 | 0 |
| Invoke-Obfuscation Via Stdin - Security | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 5a9474f49eedd6f514e9f05bd95d3fde3747f03da5803a359962b76fe04d3dc0 | 0 | 0 |
| Invoke-Obfuscation Via Stdin - System | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | ca82d3c569666b788bdb9b704468045f733d45dac72cb22f0dc35242d6dd30ce | 0 | 0 |
| Invoke-Obfuscation Via Use Clip | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 0d70c217e51ad45cc6411546634b710d8a2bd8d7fe04cea155aa5a5274d4b8c1 | 0 | 0 |
| Invoke-Obfuscation Via Use Clip | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 52417f5a914da422b1f4a12eae2a1fd94408538cc4aa1373f9a527d748628701 | 0 | 0 |
| Invoke-Obfuscation Via Use Clip | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 62ac6078947c91fe388df8ac3354f7d5cab59710aa0d057148b72b409203a565 | 0 | 0 |
| Invoke-Obfuscation Via Use Clip | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | f8caa5c28a6fabe724cbb68e6a4175a973edeb9f4a0caf001cd768f207c2da3c | 0 | 0 |
| Invoke-Obfuscation Via Use Clip | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | ff8bf7ea172d6967d31c7cd3833e156278c00c013da4bed9d4b45159acd507cb | 0 | 0 |
| Invoke-Obfuscation Via Use Clip - PowerShell Module | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 76af6c7b5bbcbcbccfb2ea260489d66ab26fb91c612afce2eea8b5538bb36c35 | 0 | 0 |
| Invoke-Obfuscation Via Use Clip - Security | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | f7ed971f190a397799a0730d5ae3ae4a8795ea76e42554768900a03c1bbf7ad2 | 0 | 0 |
| Invoke-Obfuscation Via Use Clip - System | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | ce17aada5a7768055bbf5a416696626ce2063fc2947da124934a97f0ff076ba6 | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 0930a93e61dc6ca5c708a09f8f1a8c0dc24b8d942a8e8900144c6dee8703e343 | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 0e5566fb9e5f855f277b707f52ff16085f2976cb6768b08e3151b738f7cc6992 | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 43cbdd33506d9ffaa0d9a81b702937c5941031eccf02bfa20564b42417d9ff47 | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | aa4d39be626c3fd4a68412b1a7760b0957c0c5b86f79eb893d14f58e7fce6c6d | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | fa1bd4dbff85b70daad8ab600a4cfee9488c2ff0188d3cea00e84d7b073405ea | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA - PowerShell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 2f4d7a7bc3e29eaeac5423c4d276d9a90586e6c3d4277f4d264c9d8aa54f6ec3 | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA - PowerShell Module | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 437698a3ddc141ac75cb061590808bbcb7de0b4fb7ebaf60345f0549f4cc9816 | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA - Security | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | d851e8933dce5155d4504668c3fad20bca16e503e478165aad802dc4e5634563 | 0 | 0 |
| Invoke-Obfuscation Via Use MSHTA - System | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | a5d8322f8fd4a171b92a497efdb17590b3b6b58818835a034997d21e4270b693 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 4131754f7c0e71d23eac2114f63c2445f3ea1e8f38df8a76563917e98baf7123 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 7d11bdaa4f671e75a6cf0ddb788f3ea6ff550f3371c61cb0a29f802ef5ac61d0 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 93a7143b3c3623e84f71a4ba7087c95eadd288a96cc5205d70645fb23d9fd956 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | a7908e5cb15379fd8bcf3a9689d34ff1a5a72ab4c6ca6d6c65e24d53ffbb2c13 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | dc490d5d39ceac22ac7a184263ef179d60d4acaa65976183ddf786bd75366d9f | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | f78da06c94256bbc6f7356a3883982528e6282d615f1a6c25c43ddaad4687c18 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 - PowerShell Module | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | fc25895e0aab53d526b1f268874e1f81955fb22d2d310fc8a14e2f4cc28a52b4 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 - Security | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 2f55b73ec314c7381dc97abaeb5ef1469713fc1c552265bc1225b96c6ad6cc83 | 0 | 0 |
| Invoke-Obfuscation Via Use Rundll32 - System | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | fe3560ed4bbd6192e8416571fbbe1e5fe61a8b92201d44f818823f75e7f8578e | 0 | 0 |
| JAMF MDM Execution | Jay Pandit | Sigma Integrated Rule Set (GitHub) | 84004bc1bc5647986b7d6975284e5e0c645519882f3824b6f85b0818116789c1 | 0 | 0 |
| JAMF MDM Potential Suspicious Child Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 318d795d6174586c38f35d0882f6ec868df0e3a9fdaa1a66c81134860d2a8258 | 0 | 0 |
| JNDIExploit Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 67e1bb7efdc9f72507d792fffd9669f000bac02c81b6c5880693f3e473360550 | 0 | 0 |
| JSC Convert Javascript To Executable | frack113 | Sigma Integrated Rule Set (GitHub) | 2ff165b71352ba7322e48c1d765629db5ccf8ba92e65a3ab9a4d375da0846a6b | 0 | 0 |
| JSOutProx RAT (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 02be37dad81df3baa83c02c795e51416bda450b6272fe9585a50171a69535256 | 0 | 0 |
| JXA In-memory Execution Via OSAScript | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | d9ee3be0af3ae45d8636dbdf1163e825e59e445cd37f090d09146c1a898a8f7c | 0 | 0 |
| Jacksbot (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2be33206faf76054bce199518f9ba877ad2a9477b51af98ca05dd646dfb42c6c | 0 | 0 |
| Jacksbot (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | de380d617af0b2dd78f410efa4fc36f895a556759177b34f04dad90698a9b833 | 0 | 0 |
| Java Class Proxy Download | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | b86f637637bb79d44a1590bf2bb4feadebbd6c2757ea9c0016f1a9595504b17d | 0 | 0 |
| Java Payload Strings | frack113, Harjot Singh, "@cyb3rjy0t" (update) | Sigma Integrated Rule Set (GitHub) | c08fd4adc55b78e8d134a4b62c4033306d8fb40ea0ad0142f08d3abb92a38f6f | 0 | 0 |
| Java Running with Remote Debugging | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e7d87bfbd32ac2342d15ebcc05f5ef626e85c6ff102705ba365a90790098278 | 0 | 0 |
| JexBoss Command Sequence | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a3bdc4cfa6129ab202d0c31fd0a1b62c238614b1ef2d063913d6414edf0845b7 | 0 | 0 |
| Juniper BGP Missing MD5 | Tim Brown | Sigma Integrated Rule Set (GitHub) | 0f52da7ba37053b38aabf543fe6b48cccf492982b0c4423c605a9a7cd868a9df | 0 | 0 |
| KDC RC4-HMAC Downgrade CVE-2022-37966 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 27f15384e2982097a0a8f2fe8eb9d85961bb03d938d5bf55161e73748c145243 | 0 | 0 |
| KONNI Malware behavior (APT37) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7f8871e9eb7dd4fee1e3a813c111693a960996e217fa6df263e3f2c45aa76a90 | 0 | 0 |
| KONNI Malware behavior (APT37) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bb00a72fbfec2b0477f7a87eb9a66f6853e363526c96616ab8f9e89c0865617b | 0 | 0 |
| KONNI Malware behavior (APT37) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | dac73d2c69f90d09101600bec5114075b4bfc85ce4fd276570acd4b4b4002ac3 | 0 | 0 |
| Kavremover Dropped Binary LOLBIN Usage | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5b8e59ff6d9a6f17dd0b0fd91dd941c81c17da2acaee4aa1780ad09220c2b7cd | 0 | 0 |
| Kerberos Manipulation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 231c4645e3a84818601e73156d0ec49d61870632b546fe129f75f9795fa95b1a | 0 | 0 |
| Kerberos Network Traffic RC4 Ticket Encryption | sigma | Sigma Integrated Rule Set (GitHub) | 78b71e2b045b325f1db537748abc852151228024bbcd946684eb402afddd7b1a | 0 | 0 |
| Kernel Memory Dump Via LiveKD | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8f653bfe06c9fe8a46b54940b63e1a47715e9b34f655eb6e661b95b913c06435 | 0 | 0 |
| Koadic post exploitation rootkit | Joe Security | Joe Security Rule Set (GitHub) | 6cfb40f83f69b8f6221133239461ee688e15ec2c65581eb5b5674a17e24831a1 | 0 | 0 |
| KrbRelayUp Attack Pattern | @SBousseaden, Florian Roth | Sigma Integrated Rule Set (GitHub) | 64cdef165052eb8d7e943c9183a9d5e851f727944f805f496f559197cc056855 | 0 | 0 |
| KrbRelayUp Service Installation | Sittikorn S, Tim Shelton | Sigma Integrated Rule Set (GitHub) | b0f99c5d2b939c246d80589cd822cbb165443af4f23bae7359a25112c38e400c | 0 | 0 |
| Kubernetes Events Deleted | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | c50e13c35eab60efafafe5755f23529d76fc7699f3adeb8980bd9c330cc0c096 | 0 | 0 |
| Kubernetes Secrets Enumeration | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | b99b4cf4bd9e0f922aade82ec85b2c265f34011959c511024c183a28b8307f77 | 0 | 0 |
| Kwapirs Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1de7d62f1812c7f6b8864dd143e6647161ac4299a1d79041266d401042177e4c | 0 | 0 |
| Kwapirs Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5c5eb2e19924ab6d6c54d36e0730e90e8dfea2ee983a708a1ecf6a596cd7bd9c | 0 | 0 |
| Kwapirs Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 96ca7fcb576c97b0d5789bb1536ba5039c9decf46b748ed501cc0945e90fb25e | 0 | 0 |
| LNK File Download or Usage over HTTP | SOC Prime Team | SOC Prime Threat Detection Marketplace | ffd8e0662e18d53ff9cd24c140aa76098f09521d84cc29f2f00a17fa50a43e37 | 0 | 0 |
| LNK File Download or Usage over SMB (Overview Query) | SOC Prime Team | SOC Prime Threat Detection Marketplace | a4d2269d88c903801fac5733945f9e7aa870b2b167f014df865f794d517e8907 | 0 | 0 |
| LOLBAS Data Exfiltration by DataSvcUtil.exe | Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4ca63f832211aa3558085e05e1123658cee6f4d5daa8c91fc9deeb13b8ab7b5a | 0 | 0 |
| LPE InstallerFileTakeOver PoC CVE-2021-41379 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5aac8fe297cc2a7fde7dd8b7e3bc82990cbcba14f3acb11dfcd8306587c8b02d | 0 | 0 |
| LSASS Access Detected via Attack Surface Reduction | Markus Neis | Sigma Integrated Rule Set (GitHub) | 563af56cc44b5473ca2297f9917233ed8264136d5730aed0bf08f98e4294e060 | 0 | 0 |
| LSASS Access From Non System Account | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | c6493cb4442f7c6d607b594653ad5f32371b52193211d685ce4fa631017ee7cf | 0 | 0 |
| LSASS Access From Potentially White-Listed Processes | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d593692edfb0155a1eee787d657ba877f87da5e2e548276511560f75acc67110 | 0 | 0 |
| LSASS Access From Program in Potentially Suspicious Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | df0d05c25b308b1067253d6665734b787aee2e0d8b177c08f0fad5c83a9b598c | 0 | 0 |
| LSASS Memory Access by Tool With Dump Keyword In Name | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 645cb1e8e1af1e2c83bd115ff4c26b69adf33e6b889e7d3e080019df00d911e2 | 0 | 0 |
| LSASS Process Dump Artefact In CrashDumps Folder | @pbssubhash | Sigma Integrated Rule Set (GitHub) | 76943792af2068697b876777134ad9a888d725b0cb35b3eda717a54d78a60159 | 0 | 0 |
| LSASS Process Memory Dump Creation Via Taskmgr.EXE | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 9262279e69c00f54852b755d4861838d5ccfa933422a45c0c79d140e0651003e | 0 | 0 |
| Lace Tempest File Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 588b29378bc271192e51c683c2a0b9cafb40c7602b28a6402862a566a0b81ab2 | 0 | 0 |
| Lace Tempest Malware Loader Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 32f1a6abb7c0d573677298e3e0ddb2e271420ea641149faec6860812396d7921 | 0 | 0 |
| Lace Tempest PowerShell Evidence Eraser | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d32ca81927e9506817cce770d61f68382f37dd691cec907a32e23b900ce34832 | 0 | 0 |
| Lace Tempest PowerShell Launcher | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7c491918d0eb9bbccf2d3824e4dab60abcda78a7f88485cb1619257a05db39cf | 0 | 0 |
| Lateral Movement Indicator ConDrv | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | c978aa658df36ee024186bee37eb8f5b1974ccfe8ded97a973bfe4dc6e197008 | 0 | 0 |
| Launch-VsDevShell.PS1 Proxy Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 653a2a6ef64e76c43984ddf71de4ef9fab7b4140732b70bffd798e87dbfaa635 | 0 | 0 |
| Lazarus APT DLL Sideloading Activity | Thurein Oo, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ac08ae75103b2592d17a9e6a1e238ccf73be2ee27f4b0649c6df3bcd2f1833aa | 0 | 0 |
| Lazarus Group Activity | Florian Roth (Nextron Systems), wagga | Sigma Integrated Rule Set (GitHub) | 5239809b3d434a5fd86760148a6ba71288898a2f7c5d6c4370e4afdf12c7283c | 0 | 0 |
| Lazarus Loaders | Florian Roth, wagga | Sigma Integrated Rule Set (GitHub) | c84a7ca7abbe3e5b0d2b85f57e26013cf82131739ccc06fb4271905d4a63f3ef | 0 | 0 |
| Leviathan Registry Key Activity | Aidan Bracher | Sigma Integrated Rule Set (GitHub) | 8d55489934039427d1fae624f0b85085985ab01440f56559b26c68f7a6a1deb4 | 0 | 0 |
| Linux Base64 Encoded Shebang In CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 65b81bcdfbc588593fc0963077e22d4130ce747d90f3266d5c2f3aa6508cb30e | 0 | 0 |
| Linux Capabilities Discovery | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 15f5291aefe8242b4be1908368af4c1c020bff933d962fa5c3d2690592a1d9db | 0 | 0 |
| Linux Crypto Mining Pool Connections | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 94ce005adcd09f3ebc9f1adf5dfb87bc39cf45a1c8e1176675682711a53d88f5 | 0 | 0 |
| Linux Doas Tool Execution | Sittikorn S, Teoderick Contreras | Sigma Integrated Rule Set (GitHub) | 2d09b677a33485e35622f8b6cdab5b1237af8abd8fc894532527d90f383c0aae | 0 | 0 |
| Linux Keylogging with Pam.d | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 8b1654a5012de4c604255728331b3cb09c83826468daf25703344006927ebd6a | 0 | 0 |
| Linux Network Service Scanning | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 577e8f6fda6da02c80afa50ddf199a9e2817ae570e37dff3c743910d6e4dd273 | 0 | 0 |
| Linux Network Service Scanning | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 676feba35f86e9e41213bf2cd1daab4e4ad9143714e10f335981beeb7ba5d4a5 | 0 | 0 |
| Linux Network Service Scanning | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 7f6a694ee18581a5a2bb34e78f7cb079d0e12a465aa6639e291e138f6f308d27 | 0 | 0 |
| Linux Network Service Scanning - Auditd | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 96c79bd2f46a79e85a3f40f6206e96a7cc2f097ac4d2dd574d735dccec840832 | 0 | 0 |
| Linux Reverse Shell Indicator | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9627ed9b9dde6f0e9ce83624eb258b8c304ba56da7d651985c1e06a0ed0b4975 | 0 | 0 |
| Linux Webshell Indicators | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f1ddd314aee4681dd4bc1821da4b796ecf94c8b1576209bb191b5a8dbdcdb26a | 0 | 0 |
| Liphyra Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4596c900255dd64bed15c00f02fd2c020992da25e6600d3536b6b12b8992d409 | 0 | 0 |
| Liphyra Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 98cabebe7a41e8259d15db20be2beb491b39babbd9a772c20ccf447f7a5c5490 | 0 | 0 |
| Liphyra Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d5c4157c2b4dffa686a83ac64b8c022c3e066337e094757c2f248638dcef1214 | 0 | 0 |
| LiveKD Driver Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fe83f11bcb26d72813b40bdb5b8c4009f6f74e840320f5cd3d71f7e6efda7adf | 0 | 0 |
| LiveKD Driver Creation By Uncommon Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d5a21d8db462c24435fa9525e3507c04d0368e1546130727d88cc0050357aae | 0 | 0 |
| LiveKD Kernel Memory Dump File Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d2957f3e596a6283175be9c1eec3b522e82aa8a105ee9a3e2f3bfb494c07cf90 | 0 | 0 |
| Loaded Module Enumeration Via Tasklist.EXE | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 7c2a2b3b85cbc078de4b871fc347cb5186dc813c5c2083360ce573c3f0abb87a | 0 | 0 |
| Loading Diagcab Package From Remote Path | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e5b9341df9284890eca06dd9731ecb3890a2c1496b549dd053bc40c178e14df8 | 0 | 0 |
| Loading of Kernel Module via Insmod | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | e690fd8425bfb6339396e2e0b658a06d8dad95357a25603d9ed007d8acae6e6b | 0 | 0 |
| Local Groups Discovery - MacOs | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 96830978814aeec9f41351cd26d413ad426a28c3bf7d6f3630ee7e9a578659b9 | 0 | 0 |
| Local Privilege Escalation Indicator TabTip | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 341387d1dc0c269b7b874ce36d90680e7398381d49158ec118d2fbf7af6fe4fb | 0 | 0 |
| Loda RAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 53e145805bb5e6301f081883d8d97fc2ebfa40287aec49d411fbba030d1fa39c | 0 | 0 |
| Log4j RCE CVE-2021-44228 Generic | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8c495666d5450c3e2e0bb34d2cf7eef172c34ec61b80fb24f7ee56955d98c3cd | 0 | 0 |
| Log4j RCE CVE-2021-44228 in Fields | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a089911dd0c5c3ead7a5b984c73e7ff29d2a74b294849fe17ffc932bf33784e9 | 0 | 0 |
| Logged-On User Password Change Via Ksetup.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1a9508e6ec98fe450815498ea883a6e7b2a5974204656e2f9bb7b098a308553d | 0 | 0 |
| Logging Configuration Changes on Linux Host | Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 445f9624d922b1b8b49be62aa6ab367c68746e2b43bdbb4e2e6c630e88e18678 | 0 | 0 |
| Login to Disabled Account | AlertIQ | Sigma Integrated Rule Set (GitHub) | 1514d5d526c9b5a1a6c5e315c592705ba8e80d9698d2928aed28182666d2a2e3 | 0 | 0 |
| Logon Scripts (UserInitMprLogonScript) | Tom Ueltschi (@c_APT_ure) | Sigma Integrated Rule Set (GitHub) | 4e10510e7f7c48be7d293bdd42d3c63dbb1c4ef878bb17ff20069102a6a1a6b1 | 0 | 0 |
| Logon Scripts (UserInitMprLogonScript) | Tom Ueltschi (@c_APT_ure) | Sigma Integrated Rule Set (GitHub) | 72753d1df5ca47138f6ac3de80cfbfccccb39052c6331addbb419e2b4a2f9752 | 0 | 0 |
| Logon Scripts (UserInitMprLogonScript) | Tom Ueltschi (@c_APT_ure) | Sigma Integrated Rule Set (GitHub) | c58463bc214d5126d24453ce3a2db9a54855641facf8d3dcf2e1a70b4cd47173 | 0 | 0 |
| Logon from a Risky IP Address | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 96e45b283c76172a1e89d9798c6e7952bf70ba4017864f8b0941dbffd56f7055 | 0 | 0 |
| LokiBot Trojan behavior (Sysmon). | Alexandr Yampolskyi, SOC Prime | SOC Prime Threat Detection Marketplace | 25b0a9aa21e02bf2b942c3a842e1cee818237b7da5e121b08157b081a775e7dd | 0 | 0 |
| Lolbas OneDriveStandaloneUpdater.exe Proxy Download | frack113 | Sigma Integrated Rule Set (GitHub) | c0cde0407770035045182e4494d9ef27565bb6a5a4bd1506dfd9512694fb59e0 | 0 | 0 |
| Lolbin Unregmp2.exe Use As Proxy | frack113 | Sigma Integrated Rule Set (GitHub) | 3801de7b2b12b9bb0f6c6167191baba801045f5089dddcf20a11575d87f741ee | 0 | 0 |
| Lsass Memory Dump via Comsvcs DLL | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 3c0e931ed838b9556e57c7385ca8aa0e20d9e4a2256e761c1f13540f3df2f513 | 0 | 0 |
| Lucifer Botnet Detection (Mimikatz Abuse) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b78dfe3c36a3641e35470c0d66caaab300392d55f5c4664b7541ee0d13af1e9f | 0 | 0 |
| MERCURY APT Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1fd571e29b648dde3ccdecc16fa9186092940df4ac729790a204fbfb1504c8c8 | 0 | 0 |
| MITRE BZAR Indicators for Execution | @neu5ron, SOC Prime | Sigma Integrated Rule Set (GitHub) | 92c43f07a2d15dc0d84c316204afa24eb03535cb3460b7183fae873f9f93601e | 0 | 0 |
| MITRE BZAR Indicators for Persistence | @neu5ron, SOC Prime | Sigma Integrated Rule Set (GitHub) | 41587ecc9bb28242c77b042aa99238dbce0be3451506ce1deaa512acac0d4481 | 0 | 0 |
| MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 89d0bc5bb059780ac612513695fd8f80cf382ee91b7fd215b45bdffbcf65b8e5 | 0 | 0 |
| MSBuild Launched By Scr | Joe Security | Joe Security Rule Set (GitHub) | 8ad7367c9de9a165016d9a8b662d34004cffb1cf0000aa760ebe1742b6a83175 | 0 | 0 |
| MSBuild execute suspicous task | Joe Security | Joe Security Rule Set (GitHub) | 850ce3b49e2fc441426c3b9ec59e195d417194b461fe480e76d2482bcd20112d | 0 | 0 |
| MSExchange Transport Agent Installation | Tobias Michalski | Sigma Integrated Rule Set (GitHub) | 711b03ff1593b84b2c430081585f67ac7553da05293568f43b5d49201ac3715f | 0 | 0 |
| MSExchange Transport Agent Installation | Tobias Michalski | Sigma Integrated Rule Set (GitHub) | 7c1f925effd9c12efb8a40826e8b85d7d92e1819d550b48add5d3bd5ee8421e2 | 0 | 0 |
| MSExchange Transport Agent Installation | Tobias Michalski | Sigma Integrated Rule Set (GitHub) | 9aa90df87bd198fdfd7ce530f731f1242cebb92ae8329996250469bfd299dfd7 | 0 | 0 |
| MSExchange Transport Agent Installation - Builtin | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e771c0dcabbf8a0f6d4bb616409030d867092a5b633c5f87b668c761e0a73c23 | 0 | 0 |
| MSI Installation From Suspicious Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 461e6edb67978c12ff58da285d77d474d485074cf463885b481efe09a1fd36c1 | 0 | 0 |
| MSI Installation From Web | Stamatis Chatzimangou | Sigma Integrated Rule Set (GitHub) | c856cf4310181be71156dedd595e1303eb9146e4909a33be5b77a634af9a8290 | 0 | 0 |
| MSI Spawned Cmd and Powershell Spawned Processes | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | c7a8b63e31de07a842a530c5020291d2370e859b36aea25420f0d9744a271f6f | 0 | 0 |
| MSMQ Corrupted Packet Encountered | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3a3ca0f8c037b2b6a12c6078cb11a13525d13222140a0f6bf8e229bcc9e3f258 | 0 | 0 |
| MSSQL Add Account To Sysadmin Role | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b8dba272839bb575f5b3f9da33023f4740a1b84e81e4f9d9a184c8eaae9bf77 | 0 | 0 |
| MSSQL Disable Audit Settings | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0023ead4850cd15e4361d2100abf17dde0b2a8a294573dfdc637ac7fb6995afe | 0 | 0 |
| MSSQL Extended Stored Procedure Backdoor Maggie | Denis Szadkowski, DIRT / DCSO CyTec | Sigma Integrated Rule Set (GitHub) | 8339def63b74002948ff1b5b1e2ee35342691a9e4e5a32a86765c35f2a6106de | 0 | 0 |
| MSSQL SPProcoption Set | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 872e3ac9f3dd66e4edbaae7226c656e132d685c8752da1c7b40048f3deab7580 | 0 | 0 |
| MSSQL Server Failed Logon | Nasreddine Bencherchali (Nextron Systems), j4son | Sigma Integrated Rule Set (GitHub) | 40eb9c9e91d6e75525bc23c0af6a0959d47b27aeea04988da4aed039c218f7e2 | 0 | 0 |
| MSSQL Server Failed Logon From External Network | j4son | Sigma Integrated Rule Set (GitHub) | da585409a91625360a9a039174138eff137e78e92c590f19fbfae0f544a78c11 | 0 | 0 |
| MSSQL XPCmdshell Option Change | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e8aa8371cc5fe1806b4cc0bc362b6c08c664e2473866961f08865b8dbe626cd4 | 0 | 0 |
| MSSQL XPCmdshell Suspicious Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c8ffe8b0d6ce0e713497c845181c4caac55e32c3ba7f44b04e0b1af8b5177aa5 | 0 | 0 |
| Macos Remote System Discovery | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | f3cd8ef31c8b21a65b954ec79c8cab26887cd18d064a995d666dee41e8acec49 | 0 | 0 |
| Mailbox Export to Exchange Webserver | Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 993b4f45701b3ec9d79ce389b7e4b9ba421865eff166ec27145d75741b2609eb | 0 | 0 |
| Malicious DLL File Dropped in the Teams or OneDrive Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 0ad90d7aa0fdb2b3aa22f7b0438269a6add31695e091d3e00704728fdffac5d8 | 0 | 0 |
| Malicious DLL Load By Compromised 3CXDesktopApp | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 164ac29f934a91a02b0a5643fe836ddc62b5cdfd558e4f319713dc8f0c7a8747 | 0 | 0 |
| Malicious IP Address Sign-In Failure Rate | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 3b5e14d3e8a41fbb9831a463b29a9374afea75153b693e62c1eeb4009fcf51a3 | 0 | 0 |
| Malicious IP Address Sign-In Suspicious | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | d6a97e5cce87f8f66c4e02d46de2b99a3752f76c7477cfa0fd3e6c86b3128cd3 | 0 | 0 |
| Malicious Named Pipe Created | Florian Roth (Nextron Systems), blueteam0ps, elhoim | Sigma Integrated Rule Set (GitHub) | 18beefa1a0a5830d767ea9fe1831ce5fc0abbffeccd3c5932ea06333ab16d451 | 0 | 0 |
| Malicious Payload Download via Office Binaries | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | f8ff90356c4ca9019d85273206850b0132e8b3209bcc1d4931bf59b71450a496 | 0 | 0 |
| Malicious PowerShell Commandlets - PoshModule | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 541c6a8f85ea66fe7cd20ffb5901538bdbd0016b758510f019951603e2557710 | 0 | 0 |
| Malicious PowerShell Scripts - PoshModule | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ce183a8dcf0b1f1a74c4d3d119e86353ee57698c16b9df15ef6daa2b0b2b81e8 | 0 | 0 |
| Malicious Service Installations | Florian Roth, Daniil Yugoslavskiy, oscd.community (update) | Sigma Integrated Rule Set (GitHub) | 6476024015d6f67313581ba841b49d2aa8a5bd55b43397bb49521162a7688649 | 0 | 0 |
| Malicious Service Installations | Florian Roth, Daniil Yugoslavskiy, oscd.community (update) | Sigma Integrated Rule Set (GitHub) | 8054438d5b821755b2dbd5820a438b44688606dc8617bca3756bd60c75e15aee | 0 | 0 |
| Malicious Service Installations | Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) | Sigma Integrated Rule Set (GitHub) | 9f944a38f9e33b70e2b645ce13a2ea1152481f589928dd164e9a2ca5ca452880 | 0 | 0 |
| Malicious Service Installations | Florian Roth, Daniil Yugoslavskiy, oscd.community (update) | Sigma Integrated Rule Set (GitHub) | ed399c29991d5d0998f08a5930c2fb1aadbd51855a51b2b30d76a6bf630eabd9 | 0 | 0 |
| Malicious Service Installations | Florian Roth, Daniil Yugoslavskiy, oscd.community (update) | Sigma Integrated Rule Set (GitHub) | ed602524330bd363f87bc7980fbb46e0186704e38a27f85f7c6030f2ad6356b9 | 0 | 0 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 27774785c899a25659566662ca41aadd02b66d6eb728811937ebaae069d82f5a | 0 | 0 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | fa6ee0e8f8cead534cdfd17b666caa7f1d01a684b482e45fc1dcc98c3a17c190 | 0 | 0 |
| Malicious payloads that are hidden in fake Windows error logs | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ca17d229059d9b7592cdb79afc25ca5111f033e6033346e481fcc97443e1cca9 | 0 | 0 |
| Malicious utilization of mofcomp.exe via CMD | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8b1787853632b3c011481b5856d0f67e76dcd5ca18b18c17758687641e424c52 | 0 | 0 |
| Malware Shellcode in Verclsid Target Process | John Lambert (tech), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffb6e23f9b9b02d3336ba381f296b796adbc31e0297afd8257cec5c40e66bd8b | 0 | 0 |
| Malware User Agent | Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a352975e140ee0d8fd67c6be0d75ce52c7e74a2fc79700790bdaa343d062c5c4 | 0 | 0 |
| Masquerading as Linux Crond Process | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 9a46c620e21e78da1889a3e8f6dbe4070319becd3a7ef3bdc1d9b11595613ef8 | 0 | 0 |
| Measurable Increase Of Successful Authentications | Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton | Sigma Integrated Rule Set (GitHub) | 3fa2160bece2a586b705b87fff33b50172599949ac26db22488fac1f04051d84 | 0 | 0 |
| Mesh Agent Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5117f86a505e349c6cd837ce77faafdb5fd3697e13dfba5842107cc264fbcee2 | 0 | 0 |
| Metamorfo malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d73a269ba693e8e5fa275faa3169b39f3228c9708fae0c818a2e076be89ebac8 | 0 | 0 |
| Metasploit Or Impacket Service Installation Via SMB PsExec | Bartlomiej Czyz, Relativity | Sigma Integrated Rule Set (GitHub) | 5a244f13e4984c1b2b7a499cb46ddf8b68c1ba5230d646cec6c578e0fc490e30 | 0 | 0 |
| Metasploit Or Impacket Service Installation Via SMB PsExec | Bartlomiej Czyz, Relativity | Sigma Integrated Rule Set (GitHub) | ae51d2d67f9cc0555bac0f8f07cd0f21e85bf7996326a2ea736bf9240afc5c73 | 0 | 0 |
| Metasploit Or Impacket Service Installation Via SMB PsExec | Bartlomiej Czyz, Relativity | Sigma Integrated Rule Set (GitHub) | c27cff6b98bff3ffc6f117f1ee7a6d6969aafd5a49ec2acfc599aeac2d16d3aa | 0 | 0 |
| Metasploit Or Impacket Service Installation Via SMB PsExec | Bartlomiej Czyz, Relativity | Sigma Integrated Rule Set (GitHub) | fb37de09ff35e1a563c8446c188e8763186905bd6f1231f36c4344b06b1c1e49 | 0 | 0 |
| Metasploit SMB Authentication | Chakib Gzenayi (@Chak092), Hosni Mribah | Sigma Integrated Rule Set (GitHub) | 22b00ff2151af3d4d5470dded7d187d4f3021d163003a5608c0f6ce4c476db3f | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | 192e53b4eb1008e71a9b6e69068e10ea48a5dcaf61b1fc5d176c068bac8e1c8e | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | 40660e5f6c68cd541236f69c088146a482a8ebd809f57b774378aa0152dca75f | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | 40956f4e065cdfa5d7b282c6490d46c2ec2965fea47b1d597b61302386d09236 | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | 817e49977822d01e34c3e5dd05aba6ee11f45ab3c722bc7b2a2bb085226e41cc | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | bc197a778a20b521388a98e562298e644a301273af9279e8993a0b44cc59c8c8 | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | ec12972980ba51f81e74946a518425d59ff6b1a2e43fa17be336b5e67b155fa7 | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation - Security | Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9b174921e3b6661c344cd2c30a575a282bf403e050644ebc88bac4c93c5f47bd | 0 | 0 |
| Meterpreter or Cobalt Strike Getsystem Service Installation - System | Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9fd506c795090efa401ad8bb755474601cc0aaa7ebf5b75b096714bd0235016a | 0 | 0 |
| Microsoft 365 - Impossible Travel Activity | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | d3a30f1e296d56fea04ef46810f3df154d12cf590c5dc97084de9af8009056ab | 0 | 0 |
| Microsoft 365 - Potential Ransomware Activity | austinsonger | Sigma Integrated Rule Set (GitHub) | 02ad8f012c03cc13afc7b6cd67d789e91979b43473e7203b074dd4d9f0b7a889 | 0 | 0 |
| Microsoft 365 - Unusual Volume of File Deletion | austinsonger | Sigma Integrated Rule Set (GitHub) | be9779fe3da9967876ef067833b541b5c0d33a033ab69daea3ab20181ea1e000 | 0 | 0 |
| Microsoft 365 - User Restricted from Sending Email | austinsonger | Sigma Integrated Rule Set (GitHub) | 37b5a17283cb3c4128108fd34d6a17996547cba22f82cb66467c0ef87a0455a7 | 0 | 0 |
| Microsoft Binary Github Communication | Michael Haag (idea), Florian Roth (rule) | Sigma Integrated Rule Set (GitHub) | dd661868928412c287335c1703782413d4880320931356edf3f1e713563d99e2 | 0 | 0 |
| Microsoft Defender Blocked from Loading Unsigned DLL | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | a47018e8ef1cc45e77daca77484671576bb0812366e2781bfa3594c5e956089d | 0 | 0 |
| Microsoft Defender Tamper Protection Trigger | Bhabesh Raj, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 1870d785edc3b42af09c0eb73a2aa3683103c07aea155f77f90275e694cb6a79 | 0 | 0 |
| Microsoft IIS Service Account Password Dumped | Tim Rauch, Janantha Marasinghe, Elastic (original idea) | Sigma Integrated Rule Set (GitHub) | 579789875ba67f31d3267aa54467dd057c7daeccd54f3d84eb0b90c7329b13a9 | 0 | 0 |
| Microsoft Malware Protection Engine Crash | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 122ed874aebb54ab631111c5a294891fee643ada943cf805d38b74e7f5f106a1 | 0 | 0 |
| Microsoft Malware Protection Engine Crash - WER | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d9bfe783bdd11d38a6493085cbd1c673a360226722228507fb920ef71b62895d | 0 | 0 |
| Microsoft Teams update.exe suspicious command argumets | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 1b4855885781ab5b82eba4b8b314d00176f5ac0f29ba84391f11660a70ecd421 | 0 | 0 |
| Microsoft VBA For Outlook Addin Loaded Via Outlook | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 70a7fa8eea6fc043858820184b6d6ce880dccb90e67a241505f66c89fff813d8 | 0 | 0 |
| Mimikatz DC Sync | Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu | Sigma Integrated Rule Set (GitHub) | ec2307a906e3ea53e96b7874574d7a2e89921b6e7f541a663a6626661dcdc850 | 0 | 0 |
| Mimikatz Detection LSASS Access | Sherif Eldeeb | Sigma Integrated Rule Set (GitHub) | ff1315c395da2bdbd410add740bc4f48077e8e1d846f3e2531758ed506a43645 | 0 | 0 |
| Mimikatz In-Memory | sigma | Sigma Integrated Rule Set (GitHub) | dadac8ee034d1cee2ef5b7d9a388d1421c731a53717834507c67ffe1b14b5104 | 0 | 0 |
| Mimikatz MemSSP Default Log File Creation | David ANDRE | Sigma Integrated Rule Set (GitHub) | 1bf84826e67862a2c36769a8990e8a19bc79218d45bd297eac23f736bebb40c4 | 0 | 0 |
| Mint Sandstorm - AsperaFaspex Suspicious Process Execution | Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) | Sigma Integrated Rule Set (GitHub) | e36cb4b37c0a3b4839f6a55922b54dcae23e9a7abffd4fab8cdaa4cac5a28d2c | 0 | 0 |
| Mint Sandstorm - Log4J Wstomcat Process Execution | Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) | Sigma Integrated Rule Set (GitHub) | db531917f7306c3d93c74550a1a2a8fe90cc4374c1b12b850143f9dbbce75d12 | 0 | 0 |
| Mint Sandstorm - ManageEngine Suspicious Process Execution | Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) | Sigma Integrated Rule Set (GitHub) | 142381af7b3917b79e8f2a044bd428d90a4cc38c06d8939e95a08e4eac709282 | 0 | 0 |
| Modification of ld.so.preload | E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community | Sigma Integrated Rule Set (GitHub) | 35fdcd5de6749c0a3648859877873d553a64b9d469a1b72223f3430a15ab10e7 | 0 | 0 |
| Modify System Firewall | IAI | Sigma Integrated Rule Set (GitHub) | 9b162e77f6b19646520819d8e3106a91d9dbc365cfcff5a09e4cd2546a58b9cb | 0 | 0 |
| Modifying Crontab | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 1111c129daa1f367ddd98562f6ce2ee4591a55d067c442a43665a1b601d3f339 | 0 | 0 |
| Modirat Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 83d78690b6193fe5c1396f8bc78fdedf8ba876a1e3b33e73fbd88be9ad9ac43b | 0 | 0 |
| Modirat Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8db76b3af1f01ca259e1dfb9ffced0b62d57908e3afda6d7190050a3651d0f35 | 0 | 0 |
| Modirat Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d25e572989f7314678d11ebedcd46c0978c4963282ce53453a99fac33ba9cd0b | 0 | 0 |
| Monitoring Wuauclt.exe For Lolbas Execution Of DLL | Sreeman | Sigma Integrated Rule Set (GitHub) | b7e3452e4a99ca10a2296ac99559c3c5ad282843dc9d00e99e744ca6725da3ae | 0 | 0 |
| Moriya Rootkit | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 14054e3c5398e3efeb36907b873cd44b2e3e1f45c872fd35fc93fe027f026822 | 0 | 0 |
| Moriya Rootkit | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 9dd3e22b848384bcb3c88ebef774e34383b1ce9ed5a38ae9e19b8002aa5e1197 | 0 | 0 |
| Moriya Rootkit | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | e890924140d1c95de2b7a7fb0972af50a2c5721ef496761669c3aba2244f16e8 | 0 | 0 |
| Moriya Rootkit - System | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | fd2423cd1fb181effe2fb4c56218d09921ebaa407b79513920ea5b24c9a3f645 | 0 | 0 |
| MpiExec Lolbin | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 65a9c1b8196d031b490abccf5fdd6b0096a89c61e8b7d774985dec19d9d0effa | 0 | 0 |
| Mshta Download Pastebin | Joe Security | Joe Security Rule Set (GitHub) | 022d94a14c023de93a446a40880959661603927ebe5efff6b062cf01f85d2627 | 0 | 0 |
| Multifactor Authentication Denied | AlertIQ | Sigma Integrated Rule Set (GitHub) | 233c91922caafc34f65d2ddba780ca64f6a73e33d7834c528aad6581d3c40cb7 | 0 | 0 |
| Multifactor Authentication Interrupted | AlertIQ | Sigma Integrated Rule Set (GitHub) | 486699d92cc29a0049da80bf790ffe339597bd00fe884682f96c34da8e130514 | 0 | 0 |
| Multiple Abnormal non conforming HTTP Requests | SOC Prime Team | SOC Prime Threat Detection Marketplace | b6ffd0976104f055b1bd3ba49b801ac35b6e79610413ba345169d98aeae6b573 | 0 | 0 |
| Multiple Clients to HTTP Using Unicode Host via HTTP - Possible Multiple Phishing Attempts | SOC Prime Team | SOC Prime Threat Detection Marketplace | 511963c1db190bc62faca5bc4ca06521da4635570743caf2d3f9cd4d56ca50a5 | 0 | 0 |
| Multiple Clients to HTTP Using Unicode Host via HTTP - Possible Multiple Phishing Attempts | SOC Prime Team | SOC Prime Threat Detection Marketplace | 988a0ffb0a0f47129dd9b934dcb130f00534a2413639d8a3c688061cd4a9765e | 0 | 0 |
| Multiple Compressed Files Transferred Outbound | SOC Prime Team | SOC Prime Threat Detection Marketplace | b8fd2aa035454d18d6233196fd8163e8a2353d52c1aac77573478869e2f4e068 | 0 | 0 |
| Multiple Compressed Files Transferred over HTTP | SOC Prime Team | SOC Prime Threat Detection Marketplace | 7bad960058d62e8ad7b373e0f3e304754a2b6902377eb2e11113e17b75ccc3c7 | 0 | 0 |
| Multiple Modsecurity Blocks | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3262aea4a6fe473c1bbccdfd23a7fdf4ca12d85cd72e7f33b38038ec0744e1c2 | 0 | 0 |
| Multiple Remote SMB Connections from single client | SOC Prime Team | SOC Prime Threat Detection Marketplace | c8e5e581e3b175b3982cdbb599ff7f79477c6d33f45c778d0e404d3b39611c79 | 0 | 0 |
| Multiple SSH Brute Inferences from Single IP | SOC Prime Team | SOC Prime Threat Detection Marketplace | 169719cbc9d66e576e8fed121636ea4267a6c02afe08533153871190bf0ee2ae | 0 | 0 |
| Multiple Suspicious Resp Codes Caused by Single Client | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 36b7f0b4e7ca31a80f5929c779c0b90ea599d134f5e18ed404448e5c7e4664d5 | 0 | 0 |
| Multiple Users Attempting To Authenticate Using Explicit Credentials | Mauricio Velazco | Sigma Integrated Rule Set (GitHub) | c9d7284a26107f63bbe7266930bba513eee485e862028ef3d01f460fdfd13353 | 0 | 0 |
| Multiple Users Failing to Authenticate from Single Process | Mauricio Velazco | Sigma Integrated Rule Set (GitHub) | b83947b9ca0aad485d29caf723d94bab0c256d4731fd51b5dd69d8ee931646f2 | 0 | 0 |
| Multiple Users Remotely Failing To Authenticate From Single Source | Mauricio Velazco | Sigma Integrated Rule Set (GitHub) | 4107edd5afd06ad49d102029bda7ae9f9b114dc56eb3f36ad01188bfdcdbf804 | 0 | 0 |
| Multiple Windows Admin Share Connections | SOC Prime Team | SOC Prime Threat Detection Marketplace | 9480e7a6092cdaee91f66357eb157816e36db05dcc021646b7b6bd3b1f0deba2 | 0 | 0 |
| Multiple Windows Remote Registry Service Connections | SOC Prime Team | SOC Prime Threat Detection Marketplace | 555ec13fb5fd2bac1c4c3d56534a101fe85e324759a14d2efbcff17a8ce0d68e | 0 | 0 |
| Mustang Panda Dropper | Florian Roth (Nextron Systems), oscd.community | Sigma Integrated Rule Set (GitHub) | 64ba6d12e9a7d24ab70539a41abdbb5f3b47f99268f5620467b24cd8118976be | 0 | 0 |
| MustangPanda COVID-19 campaing | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 50f367f6a2c0c7a6e7071294d21ea586cf7ba6280290d19c28143cb5ba740344 | 0 | 0 |
| MustangPanda COVID-19 campaing | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6fa28d8cc3b3f717443e0a42b68552d7a87153b44f262b79824fdceb66d49c55 | 0 | 0 |
| NTDS Exfiltration Filename Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 59834ad6ee09ec025f8af3a988bb48ef8d80a59461acd89405b2528d7f2b331b | 0 | 0 |
| NTDS.DIT Creation By Uncommon Parent Process | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0cf8479e95ae0e3163e81aed1ec87395423eae253567f08e4dd3ac2a0c160bf5 | 0 | 0 |
| NTDS.DIT Creation By Uncommon Process | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c12fec5a56d2fd081752150387da4f96dba46bb9d59e76351fb5886a3f218701 | 0 | 0 |
| NTFS Vulnerability Exploitation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 411eb79dfeb1cc205d22228842bf9c45f6ea648d10de8bf3d08e9bdaa31e9d1f | 0 | 0 |
| NTLM Brute Force | Jerry Shockley '@jsh0x' | Sigma Integrated Rule Set (GitHub) | 54182425611ab34a2b625907d0925ad47e06ba8cbff4eba74a8d30f6578febdc | 0 | 0 |
| NTLM Logon | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7c3dc15fbc51dea715925bf595cd0f9e0a02de70e6c439f34e6f1f0e05748574 | 0 | 0 |
| NTLMv1 Logon Between Client and Server | Tim Shelton, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f41fbbd0947ef225c285ff5ffa2c712a5531c440c2f84bb402d5d680c428563d | 0 | 0 |
| Nansh0u Campaign (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 904193bc621aaa8bd679e31840889e7e0ebdd3012ad80cd285a787efa9a21a1e | 0 | 0 |
| Narrator's Feedback-Hub Persistence | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | 4064f97b1b93e3d50e6d45f091287083f57a4143e79079ddd4afcae5bd61545f | 0 | 0 |
| Nemty Ransomware (LOLBins abuse) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b6e935f32e1e64aba00eeea36dedcf16c051a067fc0bd9e45ea29c807851976e | 0 | 0 |
| NetNTLM Downgrade Attack | Florian Roth, wagga | Sigma Integrated Rule Set (GitHub) | 567e3d1c926bd9cf6698fc92a1b61254aa80f7d149c421f1d6acbf4fc8492e5f | 0 | 0 |
| NetNTLM Downgrade Attack | Florian Roth, wagga | Sigma Integrated Rule Set (GitHub) | 628b3cedd2ee451a4c293777e6a6b1405d7ff8640e456f6c947256490c60b5d7 | 0 | 0 |
| NetNTLM Downgrade Attack | Florian Roth, wagga | Sigma Integrated Rule Set (GitHub) | bec1f52073fc2866f36490eba29525c7075bac3d5209203cfda883af578ca4f8 | 0 | 0 |
| NetNTLM Downgrade Attack | Florian Roth (Nextron Systems), wagga | Sigma Integrated Rule Set (GitHub) | cf37bb8e1c6eb04a715e1acac3004996b87765e5a9a1641cd5f9ba489b398a21 | 0 | 0 |
| NetSupport Manager Service Install | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 86ece89995af050381a2b0466e99f3f68df6961352036129bbf78c3197514256 | 0 | 0 |
| Netcat The Powershell Version | frack113 | Sigma Integrated Rule Set (GitHub) | 0fd4e2409b6a9d2d52410acd12bed00a2c98b5907728ae24ee86bc36d470b52d | 0 | 0 |
| Netcat The Powershell Version | frack113 | Sigma Integrated Rule Set (GitHub) | 16372019c3e1774b0a40174d12d8465e4bb4ecfac13a7148849c9b3d21282f37 | 0 | 0 |
| Network Connection Initiated To DevTunnels Domain | Kamran Saifullah | Sigma Integrated Rule Set (GitHub) | 288ba98d65a38ea550d080181aee990f5c60c6f33847cc93008d1013e8880cd5 | 0 | 0 |
| Network Connection Initiated To Visual Studio Code Tunnels Domain | Kamran Saifullah | Sigma Integrated Rule Set (GitHub) | 8354afdcc724ce9b16fb2cc840afa94ba9cb98ef3354ccd4ab587ce65c1ec859 | 0 | 0 |
| Network Scans | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 45df53aa30dc2cfa8b51eefcfc5610c077a28dd2cc8dc1e231a33ea4a8787dd7 | 0 | 0 |
| Network Scans | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | bb657f87ac9c438630487838d7c6786269418efb6f627897a245514632b7b71c | 0 | 0 |
| Network Scans | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | bf8c0428428fa1278ad2e0afa0221c340e18931c689a1a74660e2b25a2a1860a | 0 | 0 |
| Network Scans Count By Destination IP | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 0513b00d4770e8ba4e68a1bf68cab686e859e14797388dbcf6f51ea10f3042cc | 0 | 0 |
| Network Scans Count By Destination Port | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | d59f72c28978b1e054ff60f91c7cbf0354f8d455e90795685535c1697fd3c945 | 0 | 0 |
| Network Service Scanning Multiple IPs | SOC Prime Team | SOC Prime Threat Detection Marketplace | d2d4bc90121c2e5cb6f3b7884fe1e4c06a3a4c61c381e33eaf549354d0929db8 | 0 | 0 |
| Network Service Scanning Multiple IPs for Open Port | SOC Prime Team | SOC Prime Threat Detection Marketplace | e06753fd5e71bee4c1603fb8e04f441b1a19e365ff520231341b58b5c9676d87 | 0 | 0 |
| Network Share Discovery | SOC Prime Team | SOC Prime Threat Detection Marketplace | 7cda33e78a2e154cdc2a2bbeb41857926b105d3f9e7750e0d39c1a6db9bf9563 | 0 | 0 |
| Network Sniffing - Linux | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | cec88cf573d8c7f5ff9c871e5caf9caf91adc563916947a89aad1491da2346ac | 0 | 0 |
| Network Sniffing - MacOs | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 34a3b83c8ed31a73806fd506d538c5611d10141f5683c39ccd3e822a4e68da7b | 0 | 0 |
| Neutrino Backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 66fad368237fdcb7d2c9e94af048b92829d15c4a440509d0cda553cfd8390ef0 | 0 | 0 |
| Neutrino Backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c36594c085c33464fc5cde06dc8ae917de450f86a16aff6f5e7e0f6e3be73f2b | 0 | 0 |
| Neutrino Backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d3b050f13506d1bf0507f478002af7a34e949fa40a2ef119fbc657f3a35de60a | 0 | 0 |
| New ActiveScriptEventConsumer Created Via Wmic.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c96db484de175e1b250b8157c4e848f441ffb92c370fec9a85857f015c6b8db8 | 0 | 0 |
| New Application in AppCompat | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 63f0997b285249bf20906023fb00f8eb00815314c790f67a70befd01625e8aeb | 0 | 0 |
| New BgInfo.EXE Custom VBScript Registry Configuration | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c6dc6d76eeb648f8a6c7b792a7c0c0892cfb08761125a4917ff4e876629c6ade | 0 | 0 |
| New BgInfo.EXE Custom WMI Query Registry Configuration | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cd2cf3c556d7f804607b107b1ab5b1607104083c3c10634112c146a750d4f896 | 0 | 0 |
| New CA Policy by Non-approved Actor | Corissa Koopmans, '@corissalea' | Sigma Integrated Rule Set (GitHub) | 8481a3dfdbf2420e6f48e4ca174b2dda387b24d99a40fb5a1fa4df5cf6a2bd5a | 0 | 0 |
| New Country | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 29a6e023b51fcc14d21b2ad6feb3cf459c7eba88739ece5f47a4bd331c43f7f7 | 0 | 0 |
| New DNS ServerLevelPluginDll Installed | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 167ca4630ac31daedf547da8bb8695b2fbc83687b5dec49438c407766e74c574 | 0 | 0 |
| New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8a0b41208edc45c1f006ab6da0f12b0b819a810a16ba4179e2ef632571eafa18 | 0 | 0 |
| New Federated Domain Added | Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) | Sigma Integrated Rule Set (GitHub) | 417fdab2450cfa423afc0b94feb8ea1eb0170931a5d2ce9f976a27414d16ad70 | 0 | 0 |
| New Federated Domain Added - Exchange | Splunk Threat Research Team (original rule), '@ionsor (rule)' | Sigma Integrated Rule Set (GitHub) | f4d4fe5ce26b394500e7dfc03888ed545d49235853ec9648757339683a4382cf | 0 | 0 |
| New Github Organization Member Added | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | dadac0757b2f6dc8f2424154d735c6e9f6debf3b040a084ea6bf09e1ee1c9951 | 0 | 0 |
| New Kind of Network (NKN) Detection | Michael Portera (@mportatoes) | Sigma Integrated Rule Set (GitHub) | 2c77a5d96ace41090b3f0375df03933e67f7572906b0034e8b3ca88749d3cd95 | 0 | 0 |
| New Kubernetes Service Account Created | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | b33072321fe8e3e1762c87204aa773aa246a224e0170326322d1f3c83bef17f9 | 0 | 0 |
| New Netsh Helper DLL Registered From A Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 06d9285ce443fddf212ad5e266021a9b1330b6f5f5323f9f6ed98ecc7ef9183f | 0 | 0 |
| New Okta User Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 54ae60ed9b91100a093c0cc068b4bbc869b014a835c812d89d99036067653144 | 0 | 0 |
| New Outlook Macro Created | @ScoubiMtl | Sigma Integrated Rule Set (GitHub) | 6521fe44f6063c0c2459334902169e29975140f570d57f3ec5fb33d79f3b074b | 0 | 0 |
| New PDQDeploy Service - Client Side | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7eef4b778bab8a20a8e7ed2a4e0dd59bf7640b39b56d4c814a4a1b8fda3b982a | 0 | 0 |
| New PDQDeploy Service - Server Side | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 59adf824809d4236ddfb7abd94c5a9eb62364b1c2b75771aa0109c9a8883523a | 0 | 0 |
| New PowerShell Instance Created | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 83cb47f5a4ddfd9c34da01fa9f873a03f0cc58cc2778580cc726de414c3c0baf | 0 | 0 |
| New Root Certificate Authority Added | Harjot Shah Singh, '@cyb3rjy0t' | Sigma Integrated Rule Set (GitHub) | f895ebfd80192a0790353f180cb2f6a41a074614617ff1a20d33797ff25a81ae | 0 | 0 |
| New Service Uses Double Ampersand in Path | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 30edb61625037a72a7c9c3683c9e096a775cace99e1426de2d32b4b713f384a9 | 0 | 0 |
| Nginx Core Dump | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7a4cd40845c7f590d81d5519efe14cb755da4ad7e8382cf1b793884653b688b5 | 0 | 0 |
| Ngrok Usage with Remote Desktop Service | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9f2d0250a4d365231552edf3cd9a299a59fc19270a21bdf6c9c9bc153c1125c3 | 0 | 0 |
| Nibiru detection (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3debb91f02ff96ef7063287de5f4ac2a5b63133f3d2217b252f7ff735f72fe86 | 0 | 0 |
| Nibiru detection (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ea4bc0ae193b08ac5358d5794b10aace35e1a28e70fa3405a1b93acd3c30f538 | 0 | 0 |
| Nimbuspwn Exploitation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | d45d10c3028ea86b6785f4996bf142b5846384cffab3108857c060b1bf2603b0 | 0 | 0 |
| No Suitable Encryption Key Found For Generating Kerberos Ticket | @SerkinValery | Sigma Integrated Rule Set (GitHub) | 0aa876d4a1f4fe38a455522a180c967c96786f0895f9da7fa36998a51eef77ed | 0 | 0 |
| Node Process Executions | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9202f610baa020320fb0754246900aef3eb9d7cab948cd7896901c509b02cb91 | 0 | 0 |
| Non-privileged Usage of Reg or Powershell | Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | 27c02a5e277091bc1c5b7d2a04365e89a8787ee68e58616afd80ef5c26aa04de | 0 | 0 |
| North Korean RAT - BLINDINGCAN (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e8ccfecc9a57c342fda105daa1ce14b8913cb320d668dec39aa2e246fd6edbe7 | 0 | 0 |
| Novter Botnet detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f699b7b7fd20025dcb81e2586b58b97d0ba868dae7904c07e08849456012355d | 0 | 0 |
| Nslookup PowerShell Download Cradle | Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam | Sigma Integrated Rule Set (GitHub) | ff5075c1ab78a992ff2adc2a2049fe9b6d926c8bc64281be803d245f855dc985 | 0 | 0 |
| NtdllPipe Like Activity Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e75bd8ee8f295c82c9c13ed7f3e94a1842f9f875763967e88abf3169db8a501 | 0 | 0 |
| Ntdsutil Abuse | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 210264616bb0095387dbc3e8c5912a1eb75faefd8724568bfc6ec716d5590cd5 | 0 | 0 |
| Number Of Resource Creation Or Deployment Activities | sawwinnnaung | Sigma Integrated Rule Set (GitHub) | 72c0e900a73e61f8d65b8fc1bc7424e17ed6404f198817556ef1b8bf780307f9 | 0 | 0 |
| OMIGOD HTTP No Authentication RCE | Nate Guagenti (neu5ron) | Sigma Integrated Rule Set (GitHub) | 37c2af49383c30c36d87b7215b22296e477d1b387c3b0c34cf3a3050d62099f1 | 0 | 0 |
| OMIGOD SCX RunAsProvider ExecuteScript | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 1aa03e3c54881b2badbac443dfd964bb5e89d65f3a4230ddb1349cd55dd16701 | 0 | 0 |
| OMIGOD SCX RunAsProvider ExecuteScript | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | d532e92700eb248ec7d25152f456ce46ecee476d6fd76a7b3e07659c54d26855 | 0 | 0 |
| OMIGOD SCX RunAsProvider ExecuteShellCommand | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 5d1fd434b1c927d94f9fe4453395535db904af037d3b9d3ff45b6ef71c0f8e43 | 0 | 0 |
| OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 57337e7a54cc7d5663f144c2d4051297cb796d11797ae6e1ca29ba67c27edb19 | 0 | 0 |
| ONENOTE drops suspicious file | Joe Security | Joe Security Rule Set (GitHub) | 9da30d55d9e21d3f8584b2732c9e7ba8a9cd7d13d798b1d5ba2f6f08ba6b95cd | 0 | 0 |
| OSACompile Run-Only Execution | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | ca74a6a906876b95e0e530fd08698135380244388eb4db27bbeb261db249db47 | 0 | 0 |
| OWASSRF Exploitation Attempt Using Public POC - Proxy | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 70471eb8ea01df24c6272c80f1a2be1c1849c4bb340f16eb5f23d2afd29c1fb8 | 0 | 0 |
| OWASSRF Exploitation Attempt Using Public POC - Webserver | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9de883be222a909e9e714b49ed60382523ea8a161272379006f861b0893bb5fe | 0 | 0 |
| Octopus Scanner Malware | NVISO | Sigma Integrated Rule Set (GitHub) | ad8390b7e69e5ce853f3c92ad2199323cf05de73cc23538d5f0c64b8f2ee6bfe | 0 | 0 |
| Offensive tool MaliciousDLLGenerator. DLL side loading(Sysmon) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 83567691787215050fc2832d1859c46eef4d6ec184c2e86675a1cda9293f9656 | 0 | 0 |
| Office macro parent spofing injection | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 6633d004f33515072ffdd8f03f41910d3d9da5e01701655ea5e05259c72e6d05 | 0 | 0 |
| Office starup folder persistance. | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 4f71ac3f10bbbdb0bda74ee81dba1206ffd26e184cc17f7391a0ca82ad838257 | 0 | 0 |
| OilRig APT Registry Persistence | Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 173b1203b0d58ac13e3b93542a1017cf3769eb4ba1be56bb4bc926e53578dc74 | 0 | 0 |
| OilRig APT Schedule Task Persistence - Security | Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 6d4dbcdef02bddd827d8a0739ad5f31dc3844674ae32cf4be9de19c3e4202940 | 0 | 0 |
| OilRig APT Schedule Task Persistence - System | Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 481b18e9f3ae67f2f52eafd5f02566e687c982a62597a8333ec6c4eb21f97fc8 | 0 | 0 |
| Oilirg's "RDAT "Backdoor (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 75f9172f5d8240599ba3e90228c244a661f19b8fecdf018deefea7ea69584949 | 0 | 0 |
| Oilrig | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ea4cbf16bdb71984f5023f3f7cb99896b2f2fbbc624e3fed169da1b645de6150 | 0 | 0 |
| Okta 2023 Breach Indicator Of Compromise | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | 6026ed3790b2aa3986a451e5a9c5cb93f12dc49b7030b43e07e6a47de78cfcb8 | 0 | 0 |
| Okta API Token Created | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 37c62bd2bbcddc4acc9d1a5790917fced5f8bffd7529d17806bae479015d0438 | 0 | 0 |
| Okta API Token Revoked | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 0f26d84e2eba3bdbd5a67b63c111a77e2d63546e74143de49507314c059c0fd2 | 0 | 0 |
| Okta Admin Functions Access Through Proxy | Muhammad Faisal @faisalusuf | Sigma Integrated Rule Set (GitHub) | 0e9de7c900164c5bea39c2c5c73d106cba774765e0fc722e969d103f20a92aa3 | 0 | 0 |
| Okta Admin Role Assigned to an User or Group | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 76ee74749375861af873800c29031bf76c1d499b124d9ea839ba8c40dee90c8e | 0 | 0 |
| Okta Admin Role Assignment Created | Nikita Khalimonenkov | Sigma Integrated Rule Set (GitHub) | e3d5e3ef17a28bac74c3e7ed411b661907b14d44a1a21980db9472325c016b8d | 0 | 0 |
| Okta Application Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 5146d9202bfee99aebeefa43c786b2e3719434b3ce05ab72c3c3b42d285cebe5 | 0 | 0 |
| Okta Application Sign-On Policy Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 2ef17e10bfa93f6d655fd5a9f9191f5ac2f485b9a0dd458d450ad6d3337261e9 | 0 | 0 |
| Okta FastPass Phishing Detection | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4da6d0189181bf3a884e17c8f8db08b98a52cadbd79f7887e5d40a296a0d087d | 0 | 0 |
| Okta Identity Provider Created | kelnage | Sigma Integrated Rule Set (GitHub) | 69d3902e2630392d5c7090797ced750c8ebb671d5e42f47f7870ac50282c0755 | 0 | 0 |
| Okta MFA Reset or Deactivated | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ec810333c5b5e59400842656cc184df2783f47b5b55d0030bfa5a4f21568df9c | 0 | 0 |
| Okta Network Zone Deactivated or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | fe00ea6d901a92c5ecc5302f0e36994a890f1b517bb02510b6a368f421ec89c9 | 0 | 0 |
| Okta New Admin Console Behaviours | kelnage | Sigma Integrated Rule Set (GitHub) | eb340ef7be2c9cb3efa0549932d10d9f37e9bb1d79dbd150c12543babb9f95f1 | 0 | 0 |
| Okta Policy Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 1c210d6fdbd5b2ba495cbd1a803fad26f2c34786e6b979f4ce8e88872a25db23 | 0 | 0 |
| Okta Policy Rule Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ae0100a24042add9897a943949ccd1e1e3f8c310cd5979cf48accbce725cd423 | 0 | 0 |
| Okta Security Threat Detected | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 82f25417bf76cf8b64d66b26bf54c4850a4187772d8094d02f3f8eb64bc20bf4 | 0 | 0 |
| Okta Suspicious Activity Reported by End-user | kelnage | Sigma Integrated Rule Set (GitHub) | 6bbff41a6216bb536bc26c995451302370148db5c2e04233dedfaf9dbb7bc355 | 0 | 0 |
| Okta Unauthorized Access to App | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4ac129ccafdbbfad46a3392c4e73182ba5823ac3df49ac7d3e35e10cbf159b2a | 0 | 0 |
| Okta User Account Locked Out | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 713536374c2a86507e8c3738a171b0b1ab7398e3b84b9a491e14890485ff6bb7 | 0 | 0 |
| Okta User Session Start Via An Anonymising Proxy Service | kelnage | Sigma Integrated Rule Set (GitHub) | 7201e9464f102ca8e21b9546bd23a1cbf359ad574a89098388cadd16d29a8aad | 0 | 0 |
| OneLogin User Account Locked | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 989ec67196bdfe4759541550bbddc7a6be65ecf2debfc15598f3768a4000df04 | 0 | 0 |
| OneLogin User Assumed Another User | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | f0eee7a94251a99b6a747dc186b09c26d9850f1e61d9cbcb7a5939e633565f04 | 0 | 0 |
| Onyx Sleet APT File Creation Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 242c6137949513e785765dd342fee445a4ad020326a1e9660877eb47bcc455f5 | 0 | 0 |
| OpenCanary - FTP Login Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 58b33e5602cceaa5a577e5cea9c030e8f3259c7cc252f6cd08eb3e0cf24c2ae5 | 0 | 0 |
| OpenCanary - GIT Clone Request | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 9333eda34c79883676f76e701be7aaca43a867b942892f6f66e1f87cdc5e40c3 | 0 | 0 |
| OpenCanary - HTTP GET Request | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | a2338d9de2c3720aed5072e7eae57da07252ad8acb0b21aa731a00f836e3aa96 | 0 | 0 |
| OpenCanary - HTTP POST Login Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | e5081f3e43c5a12b29cf04c26c5d0aed63e36d3a625cfc3b0b1937e6eb81e495 | 0 | 0 |
| OpenCanary - HTTPPROXY Login Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 689fa0fb65b5a7c5ff079146c1527db2d9f9108d904f70b03e12444bae251599 | 0 | 0 |
| OpenCanary - MSSQL Login Attempt Via SQLAuth | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 6bd549e3820eb117fa8818aa0ccfedca87af749df250dc1dccfddb309fec0fa3 | 0 | 0 |
| OpenCanary - MSSQL Login Attempt Via Windows Authentication | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | b5fdf58437f839cb1a9bcf31d1ba5ccf03578c65244d0b5ba4abc24f546ae501 | 0 | 0 |
| OpenCanary - MySQL Login Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | fe0897ebb174510d657dd2dae645787156ac4b0016b68584c9329cef4cbed174 | 0 | 0 |
| OpenCanary - NTP Monlist Request | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 39b4415be3f7286ef04fafd79a27fb4200d037a0d29815b34aaebe36ab7b1fe8 | 0 | 0 |
| OpenCanary - REDIS Action Command Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 4248cf2a19280fa7a55967b93ebd7a0d3aff7106fa49d7216be7d12e1795b114 | 0 | 0 |
| OpenCanary - SIP Request | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 263931e3c504faf456feaa532846356e5b7702b5691069bf621216b9a59e767c | 0 | 0 |
| OpenCanary - SMB File Open Request | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 8f3d2962c3bbfb397a7b41c8144162baa499408fa9b440f030d4a17c01227b09 | 0 | 0 |
| OpenCanary - SNMP OID Request | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | d709611ff95566f2388c932383ea81de31e7bced597ab1cb2355549614ac533b | 0 | 0 |
| OpenCanary - SSH Login Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | e7c0bef7207d53d44834e24beb809dd5c9c5d1c6ecc8f06433a3d2c5eb3390dd | 0 | 0 |
| OpenCanary - SSH New Connection Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | fe4d9241c40e3cb920d3c256723edf2d7f6a4a7e91d8a39f31ea04fe96e261b5 | 0 | 0 |
| OpenCanary - TFTP Request | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 82420b5dd3ca5ded3ff0423f7dd0fde415919d18f603f31d241f7798322bd019 | 0 | 0 |
| OpenCanary - Telnet Login Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 27b505b0c058a311ad88d93d3647ddfcdaa98b7002439b9ef798564fb10f5fc1 | 0 | 0 |
| OpenCanary - VNC Connection Attempt | Security Onion Solutions | Sigma Integrated Rule Set (GitHub) | 1135b67cac53d9dc03bc41e41e4001e28fd570f7a292ee2d0a6e910703f5ea4f | 0 | 0 |
| OpenSSH Server Listening On Socket | mdecrevoisier | Sigma Integrated Rule Set (GitHub) | c60669725183d6b8f87e7372de3a80eb4651a08386152acbc38a4dbfabb5a290 | 0 | 0 |
| OpenWith.exe Executes Specified Binary | Beyu Denis, oscd.community (rule), @harr0ey (idea) | Sigma Integrated Rule Set (GitHub) | ea5ec4a6c95de7e028405041a4052a38c12bd6345847e628f0b4ed6648db62d1 | 0 | 0 |
| Operation Vicious Panda (COVID-19 Campaign) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ed562e5af5aba4e5887ef8b69c3f8410480a32e19b5c9e3f3fcd9bd0fd33a447 | 0 | 0 |
| Operation Wocao Activity | Florian Roth, frack113 | Sigma Integrated Rule Set (GitHub) | 0981b6a6bd3a352e954d4f808351eef72bde12f597fac067385a86f67f28169f | 0 | 0 |
| Operation Wocao Activity | Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 2e30c366dcaa537ae7d98a978f19c3a6bbf9b459e177978af689a71981ca468f | 0 | 0 |
| Operation Wocao Activity | Florian Roth, frack113 | Sigma Integrated Rule Set (GitHub) | 41500c83cd93f90f6d367be3449920cac482603fa9b7f4137f2576feb2ba50a8 | 0 | 0 |
| Operation Wocao Activity | Florian Roth, frack113 | Sigma Integrated Rule Set (GitHub) | d4c0402f67c8a3748cf75523ef859b1c3b31b2503661858ec74bc3b5c7cad0af | 0 | 0 |
| Operation Wocao Activity - Security | Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | a0774a9062d671fa2115dde2a5620ddb95c39200fc4fbcd5a7504ced2408c516 | 0 | 0 |
| Oracle WebLogic Exploit | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9bfd34293b2b68ab59c38057b018b43e4604ddd974aedeb628eb74f48467b2af | 0 | 0 |
| Oracle WebLogic Exploit CVE-2020-14882 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 82dda926865821ca5e8c3ddb93fc4f69772bb79643d23c061dc2f359fcb25cee | 0 | 0 |
| Oracle WebLogic Exploit CVE-2021-2109 | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 58f3096519d091461dc02d540c9ad2e2714378fc856af5b52dcd246cf062437e | 0 | 0 |
| Orcus RAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4c082e44fc924f698907583aefcedc31f3b0d4bfbcf17059818ff8c45ff15b60 | 0 | 0 |
| Orcus RAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c71576208518c999b7feba529c697771d91ca38beb7d087c1d8ae78eba2c5bb0 | 0 | 0 |
| Osacompile Execution By Potentially Suspicious Applet/Osascript | Sohan G (D4rkCiph3r), Red Canary (Idea) | Sigma Integrated Rule Set (GitHub) | 534e5f09aa8a2711bf32fe1f48e5aaae7c1eb54edca4a45d15d4d2a1d5777d12 | 0 | 0 |
| Outdated Dependency Or Vulnerability Alert Disabled | Muhammad Faisal (@faisalusuf) | Sigma Integrated Rule Set (GitHub) | ce19b38916dff269959912516d6e91e3e6f381758112858a696b9b90bfb23faf | 0 | 0 |
| Outlook EnableUnsafeClientMailRules Setting Enabled | Markus Neis, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3cd123419934970c6f512e6e89c3d16dbd5f83ef619f0a253215253f742ab328 | 0 | 0 |
| Outlook EnableUnsafeClientMailRules Setting Enabled - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 913a691c5abac0b7049954b34a71854907dc501135b328da661014f7ce608eae | 0 | 0 |
| Outlook Task/Note Reminder Received | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d8b055908e57ae42312b98158e8c1827c3b7cb201596b07618147fa83c9b34b0 | 0 | 0 |
| Overwriting the File with Dev Zero or Null | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | fb9c58953377bc9ef08cbec4e7921e8bfd0bcea1b91c79a56cd7f21e179f5514 | 0 | 0 |
| PAExec Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b43a695c8cacf079c156ddcafc854daf0eca84e4b780c7208ee36076669f0506 | 0 | 0 |
| PCHunter Execution | Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | ea00000057824b59ab7e9a01e0fc3ee6282e5c8aa26a9cba0add0c404627ba7e | 0 | 0 |
| PCRE.NET Package Image Load | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 314e0194b44c70b9c92c8fcd5ab2295e9f0c5d034db71b856dc14098ba319f82 | 0 | 0 |
| PCRE.NET Package Temp Files | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 298754861fb9b51e8da2c4490353502093fe96a301b2c943df1e6d6ccc641ea8 | 0 | 0 |
| PIM Alert Setting Changes To Disabled | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | cb2c7a5d6e74e1d7a58dbc90a045ce1d7a9f5435192be53ba97f900e4fcee238 | 0 | 0 |
| PIM Approvals And Deny Elevation | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 9acb40e5ee2c0bff46a5d9bdef2794faf9e98ed7660b3db8f02503e3b740e167 | 0 | 0 |
| PSEXEC Remote Execution File Artefact | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 230eb390fb6e2817dab9db2bfdbd023d78fbb329780d18ebee7e7ac22229c90b | 0 | 0 |
| PSExec and WMI Process Creations Block | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | d5f9283f29961f497c15a772fe3eaf3852c91aaeca1034ffa8fbac0ad1e65b32 | 0 | 0 |
| PST Export Alert Using New-ComplianceSearchAction | Nikita Khalimonenkov | Sigma Integrated Rule Set (GitHub) | 78bfc233a44388751d0901e53bedbf16ae3ac91b77a7f520b03e1fe755288f67 | 0 | 0 |
| PST Export Alert Using eDiscovery Alert | Sorina Ionescu | Sigma Integrated Rule Set (GitHub) | c344baadde7ac55358039b7ea1d02ebd12220869f1ebe3df94888063dd78d8d8 | 0 | 0 |
| PUA - Adidnsdump Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 5fcc3dcdd38e008741a75f024bab3a696ef8d9b4feba961448f2bbe027db5cf8 | 0 | 0 |
| PUA - Advanced IP/Port Scanner Update Check | Axel Olsson | Sigma Integrated Rule Set (GitHub) | e940965433a2cc92fc31e2792e173909b90acd90237f0586703e61591ef0a0d6 | 0 | 0 |
| PUA - CSExec Default Named Pipe | Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | edd6b274dc00acb7d7d2932d7d705fc3bb483b448b5c28b78ba53956ea5bf006 | 0 | 0 |
| PUA - DIT Snapshot Viewer | Furkan Caliskan (@caliskanfurkan_) | Sigma Integrated Rule Set (GitHub) | 203a47b7ef9f6721efefc8005ca1492daf475a9b03afc70af3fde9780df06253 | 0 | 0 |
| PUA - Mouse Lock Execution | Cian Heasley | Sigma Integrated Rule Set (GitHub) | 3d2c6b32d1108da7c43b45888b3ec8440d9177641036131235b6409be1771ff7 | 0 | 0 |
| PUA - PAExec Default Named Pipe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dae4bab545d2170f8c4ba261aa915411c5e88f7bc7c9c202844f7d4dfaa46ed6 | 0 | 0 |
| PUA - PingCastle Execution From Potentially Suspicious Parent | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2c018dcbeb4d1cb1cb608ee8206c7c9051b1907cc64c175ffff7d080ad6e9d0f | 0 | 0 |
| PUA - RemCom Default Named Pipe | Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8701a7d6b05632d8957dd9d58a5def27cd25ab60591062c7829d17dc4b8689f6 | 0 | 0 |
| PUA - RunXCmd Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dd83088cd2165f94f85ef74a40370155c40633c897626c46ec18f8e51bf5fb55 | 0 | 0 |
| PUA - Sysinternals Tools Execution - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 31af484ddac8c57fe9360290fce72392b7f61a6219f537208279dede0651a785 | 0 | 0 |
| PUA - System Informer Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 377b9450d36e20bc9eaebae30e773e6035bdf9aa23366599f86d34ae06826f3b | 0 | 0 |
| Pandemic Registry Key | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1280d1699ff038c66a632a34d113a985abe94aba7a198de85b3dec7e8c56e432 | 0 | 0 |
| Pandemic Registry Key | Florian Roth | Sigma Integrated Rule Set (GitHub) | 83870fe1bc3919a21d0e4bfe80e46298d498a92fede413336e99c62c736fde77 | 0 | 0 |
| Pandemic Registry Key | Florian Roth | Sigma Integrated Rule Set (GitHub) | 94c2e0c66ba5ec7b925ceb0b07bd496ceb43525c621caa6b3a18048c1c9ffd88 | 0 | 0 |
| Pandemic Registry Key | Florian Roth | Sigma Integrated Rule Set (GitHub) | a1ba081fa2fecc17406857322da10c42bfd5d39b025a35029fa0fe1b55760821 | 0 | 0 |
| Pandemic Registry Key | Florian Roth | Sigma Integrated Rule Set (GitHub) | f3d343e52cbeb2af747dd246bd8ea56b0de2c474c81d88ef7e6cd844d31fe85a | 0 | 0 |
| PaperCut MF/NG Exploitation Related Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d4bc1833ea3209fde8ff3f446e8b87f1fe90655c123167d81fb5baf89b952c2b | 0 | 0 |
| PaperCut MF/NG Potential Exploitation | Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) | Sigma Integrated Rule Set (GitHub) | e7c0f6be4c07f1ad2f6f3f706f828afdc4c66e76b81bcf6b6f6acd69a19ad218 | 0 | 0 |
| Pass the Hash Activity | Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) | Sigma Integrated Rule Set (GitHub) | 28b05b77c561c979f988b8e68e0fd7bee5c3d69bebf583aefab5e6c03dbd30d4 | 0 | 0 |
| Password Change on Directory Service Restore Mode (DSRM) Account | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | d5526765d05068ba3b4fc756226bbb23764077a29b90a8d1b182c52b27247a96 | 0 | 0 |
| Password Dumper Activity on LSASS | sigma | Sigma Integrated Rule Set (GitHub) | 25dff248d062d94230b27dc2516c0e2a98f6760f4b5d93f07871a0f48b12c990 | 0 | 0 |
| Password Dumper Remote Thread in LSASS | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 68e65c1d21220f970cb6860795f7c6918fb617b028d783bcc58af027c5ee078c | 0 | 0 |
| Password Policy Discovery | Ömer Günal, oscd.community, Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 70af2a777246077f95f00d88094a0d2d36234fe41d5cb79303b751759b327351 | 0 | 0 |
| Password Policy Enumerated | Zach Mathis | Sigma Integrated Rule Set (GitHub) | 9d40f55c895ee82ec994566c6fac446512025d88d880a1ab97023fc27e4f859a | 0 | 0 |
| Password Protected ZIP File Opened | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | eb33357ccb75fd5dba059c522da5c8442a7a91ffc70415de3339f526ac8c5082 | 0 | 0 |
| Password Protected ZIP File Opened (Email Attachment) | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 187ce23c1aa8e0dc7011c68b8294c8501a17467c7ee31fbb5d001d1e296cbc34 | 0 | 0 |
| Password Protected ZIP File Opened (Suspicious Filenames) | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 05393000658165d71f04748ec6b135470c44474d0a610a95611c3ebdfe50ffd2 | 0 | 0 |
| Password Reset By User Account | YochanaHenderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 8d765da0a95268a2b6989a5f346c32e9ddf62e5d6733097120ff6e1d0bc6fd70 | 0 | 0 |
| Password Spray Activity | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 8d0dc49bd433b55f8ad62323dad546e53fbb9e5193988acf7a8441f4f014ff99 | 0 | 0 |
| Path Traversal Exploitation Attempts | Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 773cff12ec7cbfc99bc118e98518f2e0050d70dca13977467d5ec706e1253a9d | 0 | 0 |
| Peach Sandstorm APT Process Activity Indicators | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4d6ccffdf3a551868afd13a09fd2f50c35943055c4e90b9d005e37762418ce73 | 0 | 0 |
| Permission Check Via Accesschk.EXE | Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cd3d7a697c3c3677aa8da2c29a31ba2c427c6efdde2818deab23f432540c2193 | 0 | 0 |
| Persistence Via Disk Cleanup Handler - Autorun | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5ab9ef90123e539e99d776a0e46999b9821c4732f3eceac62021cd8fb8c88e80 | 0 | 0 |
| Persistence Via Sticky Key Backdoor | Sreeman | Sigma Integrated Rule Set (GitHub) | 62e0a8cc199a4d0a9766d75ef3213180a3865b74ce2be5948d1bc1fc5aa68e49 | 0 | 0 |
| Persistence and Execution at Scale via GPO Scheduled Task | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 261e256e88ce2c0fee286d620d8ff6e77e8cd38f8b7edfda21eb83ac8d48a9b5 | 0 | 0 |
| PetitPotam Suspicious Kerberos TGT Request | Mauricio Velazco, Michael Haag | Sigma Integrated Rule Set (GitHub) | ea26c5b32a6c3921fdfe6b9e3d229e17679f51ee8479750522d3af1a3e499d7e | 0 | 0 |
| Phorpiex Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 49cbcdd3c2bd2982afc88c5858d00892e8d508453878c1a3cd42562042976e54 | 0 | 0 |
| Pingback Backdoor | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 12147457a137c617a8c55dbaedd9bc3c0cec1a58f0abd3a364a57af2b9dc7967 | 0 | 0 |
| Pingback Backdoor | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 5c3e50d74286082eb71b88893a78ffa754ccb9d60b9acce0bb0b8cb91d5ba31d | 0 | 0 |
| Pingback Backdoor | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | f384452415580cfacef78ec66267f7d0bfb736fee4faca1b9d7d41f0a7975af2 | 0 | 0 |
| Pingback Backdoor Activity | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 6445b62d62c302592ad18186139719c0e819f43d9a6beed3bf0ab7f2d451d194 | 0 | 0 |
| Pingback Backdoor DLL Loading Activity | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | ea92810a14a762b008597bcf3399fe14869e0f793089b7e162701a7be5def9bd | 0 | 0 |
| Pingback Backdoor File Indicators | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 25fa9043dc7fef1e4d5f8f2c702b53d1134ca5d490bae826fd7ecf2551f3e2ce | 0 | 0 |
| Ponmocup Malware Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 552054511e656c379a350ba0be389fc00411a46c49cefaa5969933937782bd7f | 0 | 0 |
| Possible CVE-2020-1472 (zerologon) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 004fb7066c5a25b3f6a6420c6a8725fbc30258b16fb591b4c9b86b9da893d74d | 0 | 0 |
| Possible CVE-2020-1472 (zerologon) | SOC Prime Team | SOC Prime Threat Detection Marketplace | b2199e218352cf6a91e1a9ea26af1aa07e66c291293a802c8fdf82966b40dbe4 | 0 | 0 |
| Possible CVE-2021-1675 Print Spooler Exploitation | Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton | Sigma Integrated Rule Set (GitHub) | bead488a4543b9f760689bdc7093fc4540098b5bcf3c09c678976c6ed6354eb2 | 0 | 0 |
| Possible CobaltStrike PsExec filenames (via audit) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 733bf87ef65e4345273fe19b29d4ece1a8f2959d0e60073864e1596be59171e4 | 0 | 0 |
| Possible CobaltStrike PsExec filenames (via audit) | SOC Prime Team | SOC Prime Threat Detection Marketplace | a2858e2b79b3da9a5b4d1304cbcd84acf91d6a6062ca5f095b0d774272030879 | 0 | 0 |
| Possible CobaltStrike PsExec filenames (via audit) | SOC Prime Team | SOC Prime Threat Detection Marketplace | a321323d7d6157b4259e681855280c87bb847b7bc7874bc3fabdbdf23ec563c7 | 0 | 0 |
| Possible Coin Miner CPU Priority Param | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 066bf65181967c1e98ac2f9df11a8fd671e19d04a92efcac223bb0d380b06fdf | 0 | 0 |
| Possible DC Shadow Attack | Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah | Sigma Integrated Rule Set (GitHub) | b2fec2248b287bf7e5d5226c97e0e035d64995c904571c48230b8adac0240d6b | 0 | 0 |
| Possible DCSync Attack | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 186f4002dfd67833333c33662a78269f441aaeb8d7fb391717c493a0245291e1 | 0 | 0 |
| Possible DNS Rebinding | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 7a69b135d65a01f7902597771e9c5634482fc44f6a01ddde76c647a9b293f852 | 0 | 0 |
| Possible DNS Tunneling | Patrick Bareiss | Sigma Integrated Rule Set (GitHub) | e597452786d564a9ef7996902a2c2c93c77f558932cbf4f4bdf5a3bc3bd8414f | 0 | 0 |
| Possible Data Collection Over SMB | SOC Prime Team | SOC Prime Threat Detection Marketplace | ac79c3ded0f25a49a60eeb6806049f4e21c47eff774ed79ceb760b8377ace4c6 | 0 | 0 |
| Possible Data Collection related to Office Docs and Email Archives and PDFs | SOC Prime Team | SOC Prime Threat Detection Marketplace | d6ed6d774c0f9d1aa8f9e7c8d6e850cccf5682e206f4cf08de83bda6b90994fb | 0 | 0 |
| Possible DePriMon activity (via registry_event) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 05a6eb84ba469846def921f914e3d8b9fbdd2692488b9f37c291938d73de1a2c | 0 | 0 |
| Possible Directory Traversal Web Server Attack | SOC Prime Team | SOC Prime Threat Detection Marketplace | c49479c5356b52e94528e552ed642e4987c6a5c700ed76ebe1536af2231219d0 | 0 | 0 |
| Possible Exchange CVE-2021-26858 (via audit) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | e69ddf941adc94abece38df217d775b76868df2e2ea22a1ec52a70e9f236fe22 | 0 | 0 |
| Possible Exchange CVE-2021-26858 (via audit) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | ff377bfd583855c832c7dd822b71dcb07ea79b550063b031c7e96add1d6524e5 | 0 | 0 |
| Possible Exchange CVE-2021-26858 (via file_event) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 0fe11fe110197a5d21d1f4c9b2fed3e8f8afe8066ffa9242e24a9a95abe2516a | 0 | 0 |
| Possible Exchange CVE-2021-26858 (via file_event) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 99b35216607149affdfa929b0e387d69d2806cbefee2308c2735848d194d344d | 0 | 0 |
| Possible Exploitation of Exchange RCE CVE-2021-42321 | Florian Roth (Nextron Systems), @testanull | Sigma Integrated Rule Set (GitHub) | 5a40221e67f7aba15ef82f3d0d7b2b844f8ae17825570bff630c88811cc4ad61 | 0 | 0 |
| Possible F5 BIG-IP TMUI Attack CVE-2020-5902 | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 218640966c9d97eb1eff96fd1e484617b91f4df0ea75bcf0e4e5cb6fdf8d99b6 | 0 | 0 |
| Possible F5 BIG-IP TMUI Attack CVE-2020-5902 | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 6479d3a228183d5f5cbc12cf06692c41fdde83f2aeac8f71a156a2a48b648a32 | 0 | 0 |
| Possible F5 BIG-IP TMUI Attack CVE-2020-5902 | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 716a5ff18b2ab00b814d6e1cddf7647371f09788e189c010c793f26da08fd75b | 0 | 0 |
| Possible F5 BIG-IP TMUI Attack CVE-2020-5902 | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 88b5d334ee9ea111b57d657cd139707d075dd8ed6627da16a793126604d859dd | 0 | 0 |
| Possible F5 BIG-IP TMUI Attack CVE-2020-5902 | Roman Ranskyi | SOC Prime Threat Detection Marketplace | c1f2f68a9cff2de7103eeb1fd31cdbaf1b6fa00837c80f48223a78b3610f8eee | 0 | 0 |
| Possible Flash 0day execute embedded in Word document. (Sysmon) | Roman Ranskyi | SOC Prime Threat Detection Marketplace | b817381a55e4395f3432afdeaba45bc656fe1d69add003ca93890ee9dbb88dc8 | 0 | 0 |
| Possible HAFNIUM Webshell March 2021 (via web) | SOC Prime Team, Micrsoft | SOC Prime Threat Detection Marketplace | 3f570551a3f5298bb8ffcdbfa6a8a34da33b20e2466ac118693efa67b24e4b43 | 0 | 0 |
| Possible Impacket SecretDump Remote Activity | Samir Bousseaden, wagga | Sigma Integrated Rule Set (GitHub) | d662c9e44d08cdfba8767e63ec2258087b3839be1275833c535955e8dfdc962a | 0 | 0 |
| Possible Impacket SecretDump Remote Activity - Zeek | SOC Prime Team | SOC Prime Threat Detection Marketplace | 0f0d88d275fc1726d496bdd1f93e157e9474e735b61dce0f2a1a7e62b73aa4d0 | 0 | 0 |
| Possible Impacket SecretDump Remote Activity - Zeek | Samir Bousseaden, @neu5ron | Sigma Integrated Rule Set (GitHub) | 9817f9971438f3d35c3ff932f369427b842af1830ee9d876b82315c2af4ec94b | 0 | 0 |
| Possible MS RDP Worm activity aka "BlueKeep" (CVE-2019-0708). | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 4f9d5b07a08c2a6f429d46dd58004d7b7cd97555012e4b197608622358100e0c | 0 | 0 |
| Possible Malicious Docker Image was Uploaded. | Brandon Hart | SOC Prime Threat Detection Marketplace | 8883f6245da8667a77cc2858555fe077b1437141d61a2ce027184b194828a850 | 0 | 0 |
| Possible PetitPotam Coerce Authentication Attempt | Mauricio Velazco, Michael Haag | Sigma Integrated Rule Set (GitHub) | 8b1c0d38f0e9f17fd31e1b3ae1092dd248b2ae07a01e4a431516fa46995b8d0f | 0 | 0 |
| Possible PrintNightmare Print Driver Install | @neu5ron (Nate Guagenti) | Sigma Integrated Rule Set (GitHub) | ad5c13aa09c3e5f96d8d44e50e12cbf519a648471259976a40654ceb7215e58a | 0 | 0 |
| Possible Privilege Escalation via Weak Service Permissions | Teymur Kheirkhabarov | Sigma Integrated Rule Set (GitHub) | 6a8c7191c56707b059d6c77b850fd9a1f9bc6c202dd771d100565edecef8686b | 0 | 0 |
| Possible Remote Password Change Through SAMR | Dimitrios Slamaris | Sigma Integrated Rule Set (GitHub) | b1713847a4daf31e020cbf71527ef33d0662b5c19661263ab551e6ad9fd67ab6 | 0 | 0 |
| Possible Ruby on Rails CVE-2019-5418 PoC | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 6fba8939e048342afcf17dfc048d360bac3d5b6624cf12a22d156736dd818870 | 0 | 0 |
| Possible Ruby on Rails CVE-2019-5418 PoC | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 75865efeda875bb8b0aac82fb3b5a47ff0e7f843016157ee8942621977061407 | 0 | 0 |
| Possible Shadow Credentials Added | Nasreddine Bencherchali (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 3ac58da064a3212ab62b43328991ce32be6d99ccf2d321b3a2e95bcd32091c2b | 0 | 0 |
| Possible Unknown Exchange 0 day March 2021 (via web) | SOC Prime Team, volexity | SOC Prime Threat Detection Marketplace | b9468847ca9a6e3d39ea2b21395d1127e2ffa91f808f3fc8942ef0d65b7f12f7 | 0 | 0 |
| Possible VMWare vCenter Exploit CVE-2021-21972 | SOC Prime Team | SOC Prime Threat Detection Marketplace | 42df827de0dcea1b983942ba353a02fb956b2fde9a0ad6588f317f9ffd56110b | 0 | 0 |
| Possible VMWare vCenter Exploit CVE-2021-21972 | SOC Prime Team | SOC Prime Threat Detection Marketplace | b9b880760f2efb391cc1fc7cb12a935b3838db71ee45575fc112bbe9b4a306a1 | 0 | 0 |
| Possible Webshell - Rare PUT or POST by IP | SOC Prime Team | SOC Prime Threat Detection Marketplace | 12b4ca0d87e88664b966d19bd99b3ccc51ff3c7ee9c0a5458b0f0675a0cd65cc | 0 | 0 |
| Possible Webshell - Rare PUT or POST by IP | SOC Prime Team | SOC Prime Threat Detection Marketplace | 7a8435fc28a2572f17ab389949908468b06e249365c83e2203a00baa233b8eb2 | 0 | 0 |
| Possible Windows Executable Download Without Matching Mime Type | SOC Prime Team | SOC Prime Threat Detection Marketplace | 815d6d2c68a3ef44716300a07a6814032d253de34cd2f2be2648db1efc8c3b61 | 0 | 0 |
| Possible Zerologon (CVE-2020-1472) Exploitation | Aleksandr Akhremchik, @aleqs4ndr, ocsd.community | Sigma Integrated Rule Set (GitHub) | e4567b8b5187e55fdafa46896fe44aa16e80e8299fdf616562294969ae32c7a6 | 0 | 0 |
| Possible emails/attachmets extraction by Emotet | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 413ee025b8a23df869f7342778fc274599e24cfb881e26cde55b06feddae06bd | 0 | 0 |
| Post CVE-2017-5638 exploitation | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f0750e1ec35c54a3e4b96c31c30c90992261adc3f0dbfc07f1c841b4cd0b5be0 | 0 | 0 |
| Potential AD User Enumeration From Non-Machine Account | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | 1a4024d9c095d28a1da18eb257926feded8ec7d7ea03762f6eab63b22a41721e | 0 | 0 |
| Potential AMSI Bypass Script Using NULL Bits | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 94da285d1058a55c822bdfec3f469a4fcf37f0b3217591da9503bc50ae05655f | 0 | 0 |
| Potential AMSI Bypass Using NULL Bits | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 054dbba8c1d1faafff40931cbfdd4d09a23d3459cfad14e5dd89db657677536e | 0 | 0 |
| Potential APT FIN7 POWERHOLD Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d17ea5be7d772d983fe2447b9108465dfff299fde4e45820d3f670714f8207c9 | 0 | 0 |
| Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1e370cd2fa88cbb7648b059f66e73bf1af9f8755885ca85e022768f679e4da55 | 0 | 0 |
| Potential APT FIN7 Related PowerShell Script Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5fb75fc0baebfac35cd9d6515913d97175994556d758f7879fb483e528a58685 | 0 | 0 |
| Potential APT Mustang Panda Activity Against Australian Gov | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09c4fe58b3cc0fc08b7125827492b9d4ea6ad1ae52befdeb33f268eee8b2d7d4 | 0 | 0 |
| Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 | Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fa6fe737f5145762e909801e31b442ca6e73fb112f26179762cd60b5c64a4867 | 0 | 0 |
| Potential APT10 Cloud Hopper Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 860cd791b52ed03d76e2842429f67b1ac870f8f77a5a09b472fbbf3c964ee708 | 0 | 0 |
| Potential AVKkid.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 567023ddc2833cc725f7364853a2f92117ec5f472dfe49a0f3b50e094fe5c901 | 0 | 0 |
| Potential AWS Cloud Email Service Abuse | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 1f0cc71727a1277e80f2ce9d508865b93122a086b90c6814c8c079f81baebcf3 | 0 | 0 |
| Potential Access Token Abuse | Michaela Adams, Zach Mathis | Sigma Integrated Rule Set (GitHub) | 46732bf62a468ba6d41a49d14771d1c58895412b420d96244c0afdad9e6e2350 | 0 | 0 |
| Potential Active Directory Enumeration Using AD Module - ProcCreation | frack113 | Sigma Integrated Rule Set (GitHub) | fd3e3db7d1c143a5c775264d1b9a8768986b744bdbb9b43836d78859b52e3c34 | 0 | 0 |
| Potential Active Directory Enumeration Using AD Module - PsModule | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 63b566166f9c32a94d1f702a96993c2ad48b3adb0a838fa3d24b385285245086 | 0 | 0 |
| Potential Active Directory Reconnaissance/Enumeration Via LDAP | Adeem Mawani | Sigma Integrated Rule Set (GitHub) | afe088ee5f69ba6fb59e2c89d995b9a77ed2636f341d9222a077422e7ccb35d8 | 0 | 0 |
| Potential Adplus.EXE Abuse | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c294891087a9b38205e66bfa114d15656288be13570e767a97f524f8f565f2cd | 0 | 0 |
| Potential Amazon SSM Agent Hijacking | Muhammad Faisal | Sigma Integrated Rule Set (GitHub) | 696180403d126a08a9b5d3d5d0cc56eeb73940198f654c54c05a89fd89af3884 | 0 | 0 |
| Potential Arbitrary Code Execution Via Node.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c338961afb17f36d8f91b99822d7b9f6281cfa439131caae5ff614c28b98f7e9 | 0 | 0 |
| Potential Arbitrary DLL Load Using Winword | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | f5901bba2c7e41d225bb4ceeccbffab6be2a894654be881fa62d19f6acf1aaca | 0 | 0 |
| Potential Arbitrary File Download Using Office Application | Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | ea2e6d12452bb96efe983fe35dede0d7e4c30aa5e624a44ce14f6c0fbe84896f | 0 | 0 |
| Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 56b5ba6ff40bf2213da0f48c868136707e52c6ca8ac602bf6013d111e87ea977 | 0 | 0 |
| Potential Baby Shark Malware Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7e3c417e8dc74e72824b44e745f3abcd085e70e309ca15d279f127de94331f6e | 0 | 0 |
| Potential Backup Enumeration on AWS | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | d4fe3d14eb98f8bd48ba0af6073d33644b463c53f1fb6514c2f758322d2e810a | 0 | 0 |
| Potential Base64 Encoded User-Agent | Florian Roth (Nextron Systems), Brian Ingram (update) | Sigma Integrated Rule Set (GitHub) | 1a33a54c8b4cec7be96c448c6c1917927cc89302b66f0a3b5b72ea604e1f3368 | 0 | 0 |
| Potential Binary Proxy Execution Via VSDiagnostics.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d254d605d2c54c5e5e334631be39baf8498edc0f816c748110cdf2fe84417ec4 | 0 | 0 |
| Potential Bucket Enumeration on AWS | Christopher Peacock @securepeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | ea761c1a1e4e4a5e123e51d2b942c507f041bf3990b3a406cec11158b49f40d3 | 0 | 0 |
| Potential Bumblebee Remote Thread Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c8f014ee43cb3fab9f235f104d16cf3641236cd69f3975b08abac22e75458d45 | 0 | 0 |
| Potential COLDSTEEL Persistence Service DLL Creation | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5d970804cc6cf2dbc8bf067e5377b8b2af332b907a116f448e949ab9ccb3bb83 | 0 | 0 |
| Potential COLDSTEEL Persistence Service DLL Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80193ebed321c90c26b4a26fb444721b3bf4daef02c486a64a21f4862c016058 | 0 | 0 |
| Potential COLDSTEEL RAT File Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b9c2f8e9feba99e3d029c979914f75d9cf4f7523dcf4f10055d56c39c481072c | 0 | 0 |
| Potential COLDSTEEL RAT Windows User Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a3a603d2f99edd43eb8adcd1b2e05195ec7fb090922736f2cd9835d81f7b6fee | 0 | 0 |
| Potential COM Object Hijacking Via TreatAs Subkey - Registry | Kutepov Anton, oscd.community | Sigma Integrated Rule Set (GitHub) | 3a5176242220f6a6e49fd00b2b47af50918dae9ca9edecfcfa843475d2e01df0 | 0 | 0 |
| Potential COM Objects Download Cradles Usage - PS Script | frack113 | Sigma Integrated Rule Set (GitHub) | 139dfd44d42316af195b126ba90bfe2e69202770b83f23cedc967bd558604186 | 0 | 0 |
| Potential COM Objects Download Cradles Usage - Process Creation | frack113 | Sigma Integrated Rule Set (GitHub) | e5fff7aee020ea6000e66e12d6d0e617832fc128e2a242a10a39344f9fd59385 | 0 | 0 |
| Potential CVE-2021-26084 Exploitation Attempt | Sittikorn S, Nuttakorn T | Sigma Integrated Rule Set (GitHub) | 988717863a64de8f70fbc7f771469050a6d089e9d81944d9e0566adfa36779c5 | 0 | 0 |
| Potential CVE-2021-26857 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 6a562c9f35089d87a91ec35ae35044bfb9902969d69d04e8f50b1e9f2b14b4d0 | 0 | 0 |
| Potential CVE-2021-27905 Exploitation Attempt | @gott_cyber | Sigma Integrated Rule Set (GitHub) | a4b1b8220aa7c05b19e396969fd8249d20e0dca66f3c7155bbc943f224536061 | 0 | 0 |
| Potential CVE-2021-4034 Exploitation Attempt | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | d0cbc247e993696fffe6ecb6dac1ea715cb8a3aef0ce4e86e754f40223259b0d | 0 | 0 |
| Potential CVE-2021-40444 Exploitation Attempt | Florian Roth (Nextron Systems), @neonprimetime | Sigma Integrated Rule Set (GitHub) | f438a85d4d0729d23171fa1823ccdb8541fc46f2e71ea2827ad42bc7f373a360 | 0 | 0 |
| Potential CVE-2021-41379 Exploitation Attempt | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1649fcc98b56dc9cfc742a4a6df24ac3e91123ac466268300afc87e3f91191e2 | 0 | 0 |
| Potential CVE-2021-42278 Exploitation Attempt | frack113 | Sigma Integrated Rule Set (GitHub) | 864e1d1683353be902b628feefe866931925fd28550796b04dc914f4e7ff53ea | 0 | 0 |
| Potential CVE-2021-42287 Exploitation Attempt | frack113 | Sigma Integrated Rule Set (GitHub) | f874aeee1f8b9f847924270cf5a2084d672f053cbab5d8cbf343085a03c3eff4 | 0 | 0 |
| Potential CVE-2022-21587 Exploitation Attempt | Isa Almannaei | Sigma Integrated Rule Set (GitHub) | 027808bfa478c6125ac1c20b8f848bb360ff1479cfcba8ae648cc1945849bbd2 | 0 | 0 |
| Potential CVE-2022-29072 Exploitation Attempt | frack113 | Sigma Integrated Rule Set (GitHub) | c09e0c560b391eaf6627874d519025cc691ab8a239ec19cee6c292940ab203e2 | 0 | 0 |
| Potential CVE-2022-46169 Exploitation Attempt | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7b8792d32a2701b3cd057b81e876fde2e428b0de253197dc52e387b030882aad | 0 | 0 |
| Potential CVE-2023-21554 QueueJumper Exploitation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb836f7e352be6c866700f559f6e67fe4a83685138a8fed37016ba248bbcde63 | 0 | 0 |
| Potential CVE-2023-2283 Exploitation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 299bb32a976fbd25057405233a490d07a55b1beb29e277d8317a1c89f70b8389 | 0 | 0 |
| Potential CVE-2023-23397 Exploitation Attempt - SMB | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 27dbf54b6cd4b104057b215817ae0046524b7ef4546bb0c0b54886340f7fd5a2 | 0 | 0 |
| Potential CVE-2023-23752 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 4ad59746f3bc0c924d623069c394bd1c884c3d8184db005db2f4b8e6f4d7e9eb | 0 | 0 |
| Potential CVE-2023-25157 Exploitation Attempt | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3cb099e30b8ed6aa61a7bc67f49d081698f21ab3e76e38228019635ca5bc0763 | 0 | 0 |
| Potential CVE-2023-25717 Exploitation Attempt | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9449f07f044a9672fdc0d6b172f5a90ffa258799c44a8cfc4c426b72e57e84da | 0 | 0 |
| Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader | Gregory | Sigma Integrated Rule Set (GitHub) | 7126ea48e860a4d1b50ce097fbbb86408095669f3a451bdf2b89f45b97fedd8a | 0 | 0 |
| Potential CVE-2023-27997 Exploitation Indicators | Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 41bfc7b79197af6f328ab6c7da8d948ebf34fd55be685f542a5a6c102753ddc3 | 0 | 0 |
| Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 19fa52160548b6228e020a872b494d789b1024fc40b88aec57dd7764c8cef65c | 0 | 0 |
| Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 57eb42aae7f21cf9f00cad342cd2df68f35ad5b65f64356e029fc9a252bfb045 | 0 | 0 |
| Potential CVE-2023-36884 Exploitation - File Downloads | X__Junior | Sigma Integrated Rule Set (GitHub) | 7ff82a226393a799e4fda3c2922933f7a9a5789088b007cf77c2a9b55ca845af | 0 | 0 |
| Potential CVE-2023-36884 Exploitation - Share Access | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e19e915855535f1f8f3404a5d54ee1ea432a7600b670a3879f0ed11e6f8f4d78 | 0 | 0 |
| Potential CVE-2023-36884 Exploitation - URL Marker | X__Junior | Sigma Integrated Rule Set (GitHub) | cd8e9f183a0cf57d1103b900e9fa528e843824513a938b3a12393d9a9927ea46 | 0 | 0 |
| Potential CVE-2023-36884 Exploitation Dropped File | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0f95079db467bd6f132e6ea1066a853ff7f038366fee6916827685d147b7b4da | 0 | 0 |
| Potential CVE-2023-36884 Exploitation Pattern | X__Junior | Sigma Integrated Rule Set (GitHub) | bf71c7a7c948854f4b9178a1437bedb5251f01b09c4f6c1f05b51e1cab8d2671 | 0 | 0 |
| Potential CVE-2023-46214 Exploitation Attempt | Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT) | Sigma Integrated Rule Set (GitHub) | 39a0e23b4d4dfab6cb4161de39bb03d86b568de0b8c63f3e670c208bba445c58 | 0 | 0 |
| Potential CVE-2303-36884 URL Request Pattern Traffic | X__Junior | Sigma Integrated Rule Set (GitHub) | 27f364f4b7fe39b84d30bb720a7a72644be8d6ea678298b9630244cd9063a981 | 0 | 0 |
| Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2488e16f373e733821b632c6a3c2368da7f600b9302963a8043ae377ed07dfb1 | 0 | 0 |
| Potential CobaltStrike Process Patterns | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f6b39e4a331f85ca7590bf725ff05b84567ac82eecf2ef761c60e4baed042482 | 0 | 0 |
| Potential Compromised 3CXDesktopApp Beaconing Activity - DNS | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 584b74d5fe7890202b3290099661a831bcfc55ee514078214bf4530dd50a42d0 | 0 | 0 |
| Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9a8d6fcad871fab5ae0575788b3da2154aa859c62244e5bb740302ce7b9054c1 | 0 | 0 |
| Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f00bd3853dcfa6a07a545526bb14e0e029f716dd6d239c7343a7c85b8c13113a | 0 | 0 |
| Potential Compromised 3CXDesktopApp ICO C2 File Download | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 321ae7c2bb927b9439935fb8449149019ff5ed2a8324902434397c637d709f7e | 0 | 0 |
| Potential Compromised 3CXDesktopApp Update Activity | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2261c99b1e77d29a5d447aedc127cd8ea8c6833b21065440deca37b770f7b784 | 0 | 0 |
| Potential Container Discovery Via Inodes Listing | Seth Hanford | Sigma Integrated Rule Set (GitHub) | cb1b07cf011267435ee38cf5d6632ef663fee3578ece289552aec8661d8bacdd | 0 | 0 |
| Potential Conti Ransomware Activity | frack113 | Sigma Integrated Rule Set (GitHub) | c41fdd8a72030a4b0b96e025a1f36e7970262ad1e17a4ad2a29f643cb2033927 | 0 | 0 |
| Potential Conti Ransomware Database Dumping Activity Via SQLCmd | frack113 | Sigma Integrated Rule Set (GitHub) | a8204898cf8fc5736e342a77657426a9af40b6b573152d2d6e852a3112dead6d | 0 | 0 |
| Potential Cookies Session Hijacking | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6a27e2c1cd86098243cb0c0c1ef9b5074d9a2285e100c4648259cbc65f70ee02 | 0 | 0 |
| Potential Credential Dumping Activity Via LSASS | Samir Bousseaden, Michael Haag | Sigma Integrated Rule Set (GitHub) | 63d1c446465d6c6205e2452b5fca8715042ebcc9bfa04624288ce34d07cfa028 | 0 | 0 |
| Potential Credential Dumping Via LSASS Process Clone | Florian Roth (Nextron Systems), Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 489015366445b29d739d0c35ebba4e9278457dd045568abcf2266370379e7944 | 0 | 0 |
| Potential Credential Dumping Via LSASS SilentProcessExit Technique | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 04ff5b08364c475a034622812a1a7c93e181b8b348d6dc3b1fe28b11828e7d23 | 0 | 0 |
| Potential Credential Dumping Via WER | @pbssubhash , Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 479127bceeb1e84ef9894793b27b1ae8adae99def09d48a8f448176a91dae129 | 0 | 0 |
| Potential Credential Dumping Via WER - Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f27aca3e2c187a0217b0001e76da87aa7acba5f60e75f6aea520d51e103a2f3 | 0 | 0 |
| Potential DCOM InternetExplorer.Application DLL Hijack | Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga | Sigma Integrated Rule Set (GitHub) | fe14d9fd1cf76dd06d0659c255e22519d80815f1e23e69757a8cd989049216da | 0 | 0 |
| Potential DCOM InternetExplorer.Application DLL Hijack - Image Load | Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga | Sigma Integrated Rule Set (GitHub) | c93fc81f487e67f1eb297817c9b905d0ef0a2690dd920aad9520307d2a2e211c | 0 | 0 |
| Potential DLL Injection Or Execution Using Tracker.exe | Avneet Singh @v3t0_, oscd.community | Sigma Integrated Rule Set (GitHub) | b829a2f1ed89d5380f218ac5f6e134b4301319062cf792789557f30f6f903d24 | 0 | 0 |
| Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 81bca906324cf27310dabd3f7ea96e340ba806166d4b698cadc0f9d196c04327 | 0 | 0 |
| Potential DLL Sideloading Via DeviceEnroller.EXE | @gott_cyber | Sigma Integrated Rule Set (GitHub) | 19ac09f51e497a26abb334abfa3680915ee0dab6ac32186cd566da99c9a9679b | 0 | 0 |
| Potential DLL Sideloading Via JsSchHlp | frack113 | Sigma Integrated Rule Set (GitHub) | 9c2da4d12e3887bc7e0d30c06d898e9264a784b1c67a7900108966adc03de166 | 0 | 0 |
| Potential DLL Sideloading Via VMware Xfer | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 648e887ccecd76cd0db908de6276e6d379a7021e8b07c080829f668909643540 | 0 | 0 |
| Potential DLL Sideloading Via comctl32.dll | Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) | Sigma Integrated Rule Set (GitHub) | 43388bbb3c4d294597535039c0850a6ff2f23c214590b3ad9a1187f758c50d53 | 0 | 0 |
| Potential Data Exfiltration Via Audio File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a27c89bcbceb007b0a4687304876721a37af40db0950d4fb70e05d5cfbcd7050 | 0 | 0 |
| Potential Defense Evasion Via Raw Disk Access By Uncommon Tools | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | a89a26f2bdfeb3c1f3e5ad8acf0a4a51ef45bb9859403cee7f91739b74d79dec | 0 | 0 |
| Potential Devil Bait Malware Reconnaissance | Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) | Sigma Integrated Rule Set (GitHub) | 445394791bace711515155030aef534865553bd988b2b804ef1ffb18705db796 | 0 | 0 |
| Potential Devil Bait Related Indicator | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 301673a9f3cae7bcb7975bda50b7a581027e7db7f6c5ed3e24c088deb8d6c5bc | 0 | 0 |
| Potential Direct Syscall of NtOpenProcess | Christian Burkard (Nextron Systems), Tim Shelton (FP) | Sigma Integrated Rule Set (GitHub) | e01fcd88ad6ac5ad9762f652a28d6c714dc5ccf89b89c118bdd3bb33e5cf8abd | 0 | 0 |
| Potential Discovery Activity Via Dnscmd.EXE | @gott_cyber | Sigma Integrated Rule Set (GitHub) | 3532c0dc3eff7b92a7fbcf895c652861c958c9da1c800e53bbac333d170e565c | 0 | 0 |
| Potential EmpireMonkey Activity | Markus Neis, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5e739870e4f0680d4f5cb3caa8012e5362e20450756aaed3d6d5c2156e412a1c | 0 | 0 |
| Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp | Aaron Stratton | Sigma Integrated Rule Set (GitHub) | 50c60774fa108626ebfe23d57b56eec445eb8c8279be77ddeee68b957dcfb219 | 0 | 0 |
| Potential Exfiltration of Compressed Files | Greg Howell, OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 1211ca2125800a5536381bbbaa31e5785a63d393b5361c9c79a2fdc9327a21df | 0 | 0 |
| Potential Exploitation Attempt Of Undocumented WindowsServer RCE | Florian Roth (Nextron Systems), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 14f73583aface1453a515ca93ca097876b59a07d76241effc32bf0199da3fb24 | 0 | 0 |
| Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process | Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 48dbaec155cb7265fad0b676cb9f6fc6036d1b55ad2ba82a696b996da7c2bc9c | 0 | 0 |
| Potential File Download Via MS-AppInstaller Protocol Handler | Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | 39f5929282111d370cc6a23bcd49a9fee247d6e037a308f4ff6d06d21158badc | 0 | 0 |
| Potential Forced External Outbound DCE_RPC | SOC Prime Team | SOC Prime Threat Detection Marketplace | 2b3b8e854d19405e5e6c9c31054a6c326d1039ac85adacc9d7aa4959aa5f1fc0 | 0 | 0 |
| Potential Forced External Outbound GSSAPI | SOC Prime Team | SOC Prime Threat Detection Marketplace | 19c3e23b94517f688049e3988bf887fd740097d02ec462d5b0eb20e52f2b568f | 0 | 0 |
| Potential Forced External Outbound NTLM | SOC Prime Team | SOC Prime Threat Detection Marketplace | aad30630b73b0f4a4236cce2c8d814e292ee13ba01bebf01326ebda63aeacc7a | 0 | 0 |
| Potential Forced External Outbound SMB | SOC Prime Team | SOC Prime Threat Detection Marketplace | b7eb3b4728494a3c2f99e1d09ccee9a7405011f233c531096f5ae77b9367a6c9 | 0 | 0 |
| Potential Forced LLMNR Lookup | SOC Prime Team | SOC Prime Threat Detection Marketplace | 263ef200cd98649e7eb618ce3d0700e62dfddb6368b1167c164c8437f249eaaa | 0 | 0 |
| Potential Goofy Guineapig Backdoor Activity | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f760ac944c015c43e49bc95f9bb577251fa129ba4b54a99d7224477f1a23d7ca | 0 | 0 |
| Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream | Scoubi (@ScoubiMtl) | Sigma Integrated Rule Set (GitHub) | 4ec129d4d31936095fbea41fd619d2ea1c7c39528507f4034f1f52123bd50eaa | 0 | 0 |
| Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI | Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) | Sigma Integrated Rule Set (GitHub) | a50b188a0c105372cc80823fb02cd04fbfea498c22d7acc2429ecb15d8d41b9e | 0 | 0 |
| Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy | Nasreddine Bencherchali (Nextron Systems), Thurein Oo | Sigma Integrated Rule Set (GitHub) | 67d2f0a9c5f99ee88a81405bbee0076253b15e5de3ade6d2951e78bae186860a | 0 | 0 |
| Potential Information Disclosure CVE-2023-43261 Exploitation - Web | Nasreddine Bencherchali (Nextron Systems), Thurein Oo | Sigma Integrated Rule Set (GitHub) | e6b4000945eee0352f09a16a4f4d0f19b2b034aa18184d4825700d0ce9925693 | 0 | 0 |
| Potential JNDI Injection Exploitation In JVM Based Application | Moti Harmats | Sigma Integrated Rule Set (GitHub) | fad3443623ff791eb6c82707c02b2de557b50bf83c2eb68db5975f3485c48e0c | 0 | 0 |
| Potential KamiKakaBot Activity - Lure Document Execution | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3a3f5d1b80edda2f9e47a63bc78d15ed80a3457e0676c523e0dbf32e84c3a93b | 0 | 0 |
| Potential KamiKakaBot Activity - Shutdown Schedule Task Creation | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aadd8a16cd6c42e6682cccf2d0459606a40819fbd2bb183516267a75594747f0 | 0 | 0 |
| Potential KamiKakaBot Activity - Winlogon Shell Persistence | Nasreddine Bencherchali (Nextron Systems), X__Junior | Sigma Integrated Rule Set (GitHub) | 4de2be13cacf0f45f04322e7db39c5518651cab02f5f211c894e7cfa81c7d93a | 0 | 0 |
| Potential Ke3chang/TidePool Malware Activity | Markus Neis, Swisscom | Sigma Integrated Rule Set (GitHub) | 189d7c7c265aa63d59bd8d89a83cf406231c66f42999d77ba7e92640c28bc2e1 | 0 | 0 |
| Potential Linux Amazon SSM Agent Hijacking | Muhammad Faisal | Sigma Integrated Rule Set (GitHub) | 1e627e6cc483700e2e597efbb4ebfcdcb428cc3642acf037a3c9ea08b5c7312a | 0 | 0 |
| Potential Linux Process Code Injection Via DD Utility | Joseph Kamau | Sigma Integrated Rule Set (GitHub) | f91a6c575f623bb0698d42522a32cb4879cfa398171e599ae6046abb8cb64488 | 0 | 0 |
| Potential Local File Read Vulnerability In JVM Based Application | Moti Harmats | Sigma Integrated Rule Set (GitHub) | 9af39f2ed3e3b18cca40b4e0a21721b0568af7d3201fe7bdf7ad2565cf623062 | 0 | 0 |
| Potential MFA Bypass Using Legacy Client Authentication | Harjot Singh, '@cyb3rjy0t' | Sigma Integrated Rule Set (GitHub) | f306280b14b5a548137fceb5167bfdeac16d66ff10cde77bbcc727ad1ce5f00d | 0 | 0 |
| Potential MOVEit Transfer CVE-2023-34362 Exploitation | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a093d6965209485347cfe03f8dd713d48eb48d1d5c59abbe91c61bca985808b6 | 0 | 0 |
| Potential MSTSC Shadowing Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 545e2b755dc7bda66c90dfd73d0da8d2692a4c7181d99d429ad2c0253be12ef7 | 0 | 0 |
| Potential Malicious AppX Package Installation Attempts | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5e0919971be7571eac4b6772525429cd48975a5f04e9640d9d771d9d255fd181 | 0 | 0 |
| Potential Manage-bde.wsf Abuse To Proxy Execution | oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ed5e62dadca0230ffc2a8a11cf9e699200080030ffff4d0d2fd4df79510c64c3 | 0 | 0 |
| Potential Mfdetours.DLL Sideloading | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3c249de34d9c2aab47db1131f60ea3e894e14cd30c274741b3287c3d97037e06 | 0 | 0 |
| Potential MuddyWater APT Activity | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c2860e5a2a470c1dbb00003a43f3a9f04e5180cb5c7ec9e7a5bdcdfdd86a15a9 | 0 | 0 |
| Potential NT API Stub Patching | frack113 | Sigma Integrated Rule Set (GitHub) | 198f69172026f9559d4d5812d834c3a6496fcd9e8ffd11d66ea3c850c4b5de01 | 0 | 0 |
| Potential NTLM Coercion Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1ad1ddce816e78648dcaee02b2a6b5ef136af51a5fe61fbcca6efa389780caf2 | 0 | 0 |
| Potential NetWire RAT Activity - Registry | Christopher Peacock | Sigma Integrated Rule Set (GitHub) | ce5ddd582faff7ef5d678ca346465de3df879ce2fce177a243fb03283ce96f91 | 0 | 0 |
| Potential Network Enumeration on AWS | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 891a14b4e2963ba9cd28a9f8db5a697df7bffc7f6707a176eb3adcd2b2ae9d2f | 0 | 0 |
| Potential OGNL Injection Exploitation In JVM Based Application | Moti Harmats | Sigma Integrated Rule Set (GitHub) | 54f77bf73ca31ce7e390062c6434fd91e751d5789bb544efab21957046f81146 | 0 | 0 |
| Potential OWASSRF Exploitation Attempt - Proxy | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d2bb402de93dd0ae333adcd0593587b82287a88cd5ef9fd60e8943e53846dc6 | 0 | 0 |
| Potential OWASSRF Exploitation Attempt - Webserver | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 40bd574279339abab6a3bb1dec8360b10fb60b88bbb53f73a563550059559953 | 0 | 0 |
| Potential Okta Password in AlternateID Field | kelnage | Sigma Integrated Rule Set (GitHub) | 431e7c42d4ad56a7761c1286db98502540dfdd599f8023fa901f31410a21c3c3 | 0 | 0 |
| Potential Operation Triangulation C2 Beaconing Activity - DNS | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0b997b816a6c19f820031350de4154dfd55e473532750c4130c31a604e446091 | 0 | 0 |
| Potential Operation Triangulation C2 Beaconing Activity - Proxy | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 54e7b0e8f4fcdc02cd47d0e6a685c63c81a83fee4f2cd476bdc88792f4fb86f2 | 0 | 0 |
| Potential PHP Reverse Shell | @d4ns4n_ | Sigma Integrated Rule Set (GitHub) | b4e60160bef495f2c441b8e060e506efe487d230e792210187b34681a398fdf3 | 0 | 0 |
| Potential POWERTRASH Script Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f8ec4f9e19d45fc4d59388aa508789417de98b1d8d6a6efd70144f2ca3bbad09 | 0 | 0 |
| Potential Password Spraying Attempt Using Dsacls.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1e6e2c997f5cb3402940f88e835e1814a3c7b303d84c8d8a6bd46bd43e939912 | 0 | 0 |
| Potential Peach Sandstorm APT C2 Communication Activity | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0340e9dfea071a116ca5975ff117f52ed2f37f5ad45e4c914672529cc739a87f | 0 | 0 |
| Potential Perl Reverse Shell Execution | @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2946cc15641de2b4c9f7f9ce3a02823b2a8380cb380c5ee5fabb83b5bdda3ffb | 0 | 0 |
| Potential Persistence Using DebugPath | frack113 | Sigma Integrated Rule Set (GitHub) | 9817b3e3cfab10551b57cc2e003ae388febfa376415366efb3f4456f9129c8ac | 0 | 0 |
| Potential Persistence Via AppCompat RegisterAppRestart Layer | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 72a4106901b9bcb7dba0df1eab6bfd313b4e54960221b4b1dca3df9ba5776e07 | 0 | 0 |
| Potential Persistence Via CHM Helper DLL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ebece964bd0597ba31444efa25ebbc200ba6fb9e06a00363622cb71b32d89b11 | 0 | 0 |
| Potential Persistence Via Disk Cleanup Handler - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0b56c5afbbfeaf6736e587543ddfc49dd642f65cf4bac766ffbd33f10fb56004 | 0 | 0 |
| Potential Persistence Via Event Viewer Events.asp | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ca5f2d9877dd91bcb0c7608c36520f06523f20ff5d5ab01e5b1b068b0a3b518 | 0 | 0 |
| Potential Persistence Via Excel Add-in - Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 610447ca663978c0dec6cf93f1f3b7bff0f850725191f04fdbbe5abd99e75aaf | 0 | 0 |
| Potential Persistence Via LSA Extensions | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f60a5c96d143ed087b9c32606a65b0d2014642125555c0e2d84334642bf05315 | 0 | 0 |
| Potential Persistence Via Logon Scripts - Registry | Tom Ueltschi (@c_APT_ure) | Sigma Integrated Rule Set (GitHub) | eb5ac2a9453d625eabdbb6cd9f3d499dc7ab375f902ebd8f915d5a3d033693ed | 0 | 0 |
| Potential Persistence Via Mpnotify | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 392341585070cc575fd0f086bd8557cbd9b42e5bf956192318c35de6fcb26080 | 0 | 0 |
| Potential Persistence Via New AMSI Providers - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 336b2653b2d53acce10e967662456beb2751b3c54417a280080fb5625a3ce752 | 0 | 0 |
| Potential Persistence Via Outlook Form | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b8ad31e84529c4f0ecaff3ccdb07e6876487faa4fe4e57f07afb4d3a104ed7c4 | 0 | 0 |
| Potential Persistence Via Outlook Home Page | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7b23c3334a69965bcad3cbae78bfb96013d973e4eafe5031ea53c5b35acadb90 | 0 | 0 |
| Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 526c6f8eef10c4c1b8603afa032ec61f611ae7d83b2988a1399fa76cb6b5536e | 0 | 0 |
| Potential Persistence Via Outlook Today Pages | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6ae750585488b213e225f24f0cd7693782801986e4406629424e8bba973f8645 | 0 | 0 |
| Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9902e1055b1d4bd34f515d277c8b7ba16203bdcd2d39dc678788043361a3df0c | 0 | 0 |
| Potential PetitPotam Attack Via EFS RPC Calls | @neu5ron, @Antonlovesdnb, Mike Remen | Sigma Integrated Rule Set (GitHub) | 21730cbb0a1909a9d76a80acd4bde103b4ccadc42883b227a3f9568259cfbfcf | 0 | 0 |
| Potential Pikabot C2 Activity | Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | 58518324fbd0fe2bd643f5abae4d5d56ba71835666c93c743750e3a92dbc05e8 | 0 | 0 |
| Potential Pikabot Discovery Activity | Andreas Braathen (mnemonic.io) | Sigma Integrated Rule Set (GitHub) | 5b8dc515e35a6b72b0ff0cfb65b2820de9027f0049b9626a796dd7b27406f3cd | 0 | 0 |
| Potential PowerShell Execution Policy Tampering - ProcCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5a13756c14e8aa038afbdb4efd3d382cfa14b7e2d9754b388dd079b222a34324 | 0 | 0 |
| Potential PowerShell Obfuscation Via WCHAR | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f25494bc9c5e8430fee8451d8958642f0d15778570833a0af3f2c0cc1592a4ca | 0 | 0 |
| Potential PrintNightmare Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 2905d462b4ac73a3e5bd0955b9303d3a939f9fd1715035a35ceccc567892e882 | 0 | 0 |
| Potential Privilege Escalation Attempt Via .Exe.Local Technique | Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) | Sigma Integrated Rule Set (GitHub) | 0e09137ae6fe2a06029ed448ff414e9710dbf3d679a9e6708b4762befd21e666 | 0 | 0 |
| Potential Privilege Escalation via Service Permissions Weakness | Teymur Kheirkhabarov | Sigma Integrated Rule Set (GitHub) | eb45f6868e84101d08fc7e8ad4de6ebe7a9bdf7ab558ec191c3afe9857058360 | 0 | 0 |
| Potential Privileged System Service Operation - SeLoadDriverPrivilege | xknow (@xknow_infosec), xorxes (@xor_xes) | Sigma Integrated Rule Set (GitHub) | bb97779ed58fef8b7d6843a16b444d10cebd87234c0aab09d85ee1151b982c8d | 0 | 0 |
| Potential Process Execution Proxy Via CL_Invocation.ps1 | Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 076e35f57ad985cac0733c6afe62d6b1e84acd633b22254d9de99c537d5d5c6f | 0 | 0 |
| Potential Process Hollowing Activity | Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S | Sigma Integrated Rule Set (GitHub) | 0ea4bb0eeffe1e9b554ecca4139dfa9b061c84d145a03c500e624d29f4717643 | 0 | 0 |
| Potential Provisioning Registry Key Abuse For Binary Proxy Execution | Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | bbb7657cb2e6ba9c27b2f7029d9bc8add03c6bfe18e327eff4c7cb9bae3b10b3 | 0 | 0 |
| Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | f4fe996b364fa339ae97809d2bb69b6d19b388169eb45b0b887ec41690f216a4 | 0 | 0 |
| Potential Python Reverse Shell | @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4b91dc7d635b10b9746e99a41fb0f36245f183f38dbfcfc94fb4e8bdd06e6933 | 0 | 0 |
| Potential RCE Exploitation Attempt In NodeJS | Moti Harmats | Sigma Integrated Rule Set (GitHub) | cbf44b87562b0786c6fa5b8dde93a92c9ed705aa46e05cdd7168ee68172b9833 | 0 | 0 |
| Potential RDP Exploit CVE-2019-0708 | Lionel PRAT, Christophe BROCAS, @atc_project (improvements) | Sigma Integrated Rule Set (GitHub) | 8b02859a07f68105c212ab8620bad0936e88ff1273a8ea016f9c1c6c6789a39e | 0 | 0 |
| Potential RDP Tunneling Via SSH | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 12074ed2612acda59c311b37dede60edf5bcac6c5e57379e8a2668ed4c92b296 | 0 | 0 |
| Potential Registry Persistence Attempt Via Windows Telemetry | Lednyov Alexey, oscd.community, Sreeman | Sigma Integrated Rule Set (GitHub) | ca3672e906735c6f2aa0f7aa73bd9796d29cd4f03ef8541b6bb17a0518502b51 | 0 | 0 |
| Potential Remote Command Execution In Pod Container | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | e79787b46b82a4ca8d76fa83e9d06a4ba6ccab7736936a057da4582db70c6c1c | 0 | 0 |
| Potential Remote Credential Dumping Activity | SecurityAura | Sigma Integrated Rule Set (GitHub) | f91881b7a52aa28d428a4b4ae3eb24c640f3624869a78c2bb9489aba67bc4bb6 | 0 | 0 |
| Potential Remote Desktop Connection to Non-Domain Host | James Pemberton | Sigma Integrated Rule Set (GitHub) | 4c5c4668e312589fc1aa4db734482c2b724cda2ae380d3de9dfdac43ccd99fc4 | 0 | 0 |
| Potential RemoteFXvGPUDisablement.EXE Abuse | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cb8936fcf36d16982575da13504782d400992adaac08cd26ba7845c4a4279dee | 0 | 0 |
| Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | c16e468ec3aab5a450c958946bf9ad962dd0a0b337178f1bdc125ca014779760 | 0 | 0 |
| Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 759253ba1bb36b861502eaa6dba06ea6212695bd498716a895e2d4d9560f45ef | 0 | 0 |
| Potential RipZip Attack on Startup Folder | Greg (rule) | Sigma Integrated Rule Set (GitHub) | fe224efff15c7f2738f0f64af49096cdca3e8c25601a4cc4b502682f304e7e9e | 0 | 0 |
| Potential RjvPlatform.DLL Sideloading From Default Location | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 527010f6a392f9bc92be562bcff1445fc8ba9de16d102a4dd3af06327098e82c | 0 | 0 |
| Potential RjvPlatform.DLL Sideloading From Non-Default Location | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 26ab63625d91d3e9562a4590b58637d67932adff68842c2c5bc522c3c9889944 | 0 | 0 |
| Potential Ruby Reverse Shell | @d4ns4n_ | Sigma Integrated Rule Set (GitHub) | e9154055e10f8e4dd72770d995295fca743f75ee40d95f3598ba2655ea07b35f | 0 | 0 |
| Potential Russian APT Credential Theft Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d891d43fe1fffa5c84fc567a5eaff4bcf0c35cfcfdaeda3284ed6d5becfcfe90 | 0 | 0 |
| Potential SNAKE Malware Installation Binary Indicator | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d2f884d8ae19466556fe0f2f92fccaea02d021c8e31aee243e0c32b908d8dfd3 | 0 | 0 |
| Potential SNAKE Malware Persistence Service Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 712497f02f6eb4aee90f17724caba93698f07236a4fab237fe58ef201e654f14 | 0 | 0 |
| Potential SPN Enumeration Via Setspn.EXE | Markus Neis, keepwatch | Sigma Integrated Rule Set (GitHub) | 5185237d06d1d2c6fa9f5b9940219760620e7dd4f1db2fbff05f0b081ce4967e | 0 | 0 |
| Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 | Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 | Sigma Integrated Rule Set (GitHub) | d4793fdc170cfc0019f263c5dbc49df48f39d366293c6a9ae195061e90baf017 | 0 | 0 |
| Potential SentinelOne Shell Context Menu Scan Command Tampering | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d3e27dbca97f54305f24f4b37c83d7f89b93c26b19ac0f90e75e8558e3d021b | 0 | 0 |
| Potential Server Side Template Injection In Velocity | Moti Harmats | Sigma Integrated Rule Set (GitHub) | 122a24bfd7e46b09906fbb6d6d221bb9f36d50f453ef1fb73dfa4f942979c6c2 | 0 | 0 |
| Potential ShellDispatch.DLL Functionality Abuse | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e9ce0d9e0400d7af3add7ee879ecade11b110391df9c6ab37d87096e63275ecb | 0 | 0 |
| Potential ShellDispatch.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d4f4b259e5a0b8f91e32ddcccbd06e7718f63585c6eaec02373107971a7873f | 0 | 0 |
| Potential Shellcode Injection | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 78e9f82c41bd7abb0fa5ed70e1985671ecce98ccc467e595abcf6ba4071f3817 | 0 | 0 |
| Potential Sidecar Injection Into Running Deployment | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | 03eaa2de8b9af345cff6ae3d00bc9b402cdfd3046c2c89b668705f4e281b6496 | 0 | 0 |
| Potential SolidPDFCreator.DLL Sideloading | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 310b795db8446f3c63d837483dd65a97d2aa3d68cad9b23c5a85a110efb5ca73 | 0 | 0 |
| Potential SpEL Injection In Spring Framework | Moti Harmats | Sigma Integrated Rule Set (GitHub) | db008d3f2913789cf0217b44cecfa8272b47cd78ef0fe59e7acbff0da4e8b597 | 0 | 0 |
| Potential Storage Enumeration on AWS | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 78674217f9ca84766ae74ee3b4bbe39f72d4a01ab2079a9909e951e0d7a52531 | 0 | 0 |
| Potential Suspicious BPF Activity - Linux | Red Canary (idea), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | d2482e52c41f8e7ca8a8e8ebd482d5e16b5454903c5227091350394fede522a2 | 0 | 0 |
| Potential Suspicious Child Process Of 3CXDesktopApp | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1a01b47f4dc1278271f0262c854cfcbcff9169c1f532c688a39c60427eb9897e | 0 | 0 |
| Potential Suspicious PowerShell Module File Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fcb2d414e444fdd8367c51cb9741ea65824d63131833c2851f5bc6b5dd3dda1c | 0 | 0 |
| Potential Suspicious Winget Package Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 73cfbc2b95d24b1c60e83c5551680db699298bb44a46eb64b1bb3d2d1b81085c | 0 | 0 |
| Potential SysInternals ProcDump Evasion | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4c04c35bb6dbf1db959d95305aa16cbcc55b7bd2298b02e7631319a06d67f192 | 0 | 0 |
| Potential SystemNightmare Exploitation Attempt | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c8b63d7e7a86cd816ca0855c66d0465f223a68621bc59cdb85639e382e022118 | 0 | 0 |
| Potential Ursnif Malware Activity - Registry | megan201296 | Sigma Integrated Rule Set (GitHub) | 4e3571c62f910de9f4ea1bd62ee26b408ad26db209250c61eb74239ce71fc827 | 0 | 0 |
| Potential Winnti Dropper Activity | Alexander Rausch | Sigma Integrated Rule Set (GitHub) | d6c33aea206d318b0bebc06af8753c1497ad0abc154f4b62be36cc3893897876 | 0 | 0 |
| Potential XCSSET Malware Infection | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 069e8a740adc1baf8b590a6cb54d6b4414a9db3e8f17c48f1c099dcd52539b4d | 0 | 0 |
| Potential XXE Exploitation Attempt In JVM Based Application | Moti Harmats | Sigma Integrated Rule Set (GitHub) | 99a0308cfc5b0853c651c4a7c403e5b998b8d8f6b759f40638639611db7a336d | 0 | 0 |
| Potential Xterm Reverse Shell | @d4ns4n_ | Sigma Integrated Rule Set (GitHub) | 616f2a179167156381d864c1f0118b389c44953dbf66c3be6231d4f9758b27f2 | 0 | 0 |
| Potentially Harmful Attachment | SOC Prime Team | SOC Prime Threat Detection Marketplace | 5f9b3f2dc239f570301cb831ea6671acf4414fbb82a5dc4df877925dbc1176c8 | 0 | 0 |
| Potentially Over Permissive Permissions Granted Using Dsacls.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7ec99afd2c64f5d0f371316a37c71cac508492800b7897c3fdddcf4b2d6a25fe | 0 | 0 |
| Potentially Suspicious AccessMask Requested From LSASS | Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) | Sigma Integrated Rule Set (GitHub) | 021958a970490c9f053ccc5d257c9c5f17746ceb0270b213e185a4c9354e912c | 0 | 0 |
| Potentially Suspicious Call To Win32_NTEventlogFile Class | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 65df4fd101a63caf2dd5aa69d06d267db56e0eda1f1e0f6e575182bf95d31466 | 0 | 0 |
| Potentially Suspicious Child Process Of DiskShadow.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fe951123e5b287b74b47be87582e8aeb31175e28fd03c5b6152c4331729109e5 | 0 | 0 |
| Potentially Suspicious Command Targeting Teams Sensitive Files | @SerkinValery | Sigma Integrated Rule Set (GitHub) | e407c4a5680764011db5e78bc7a86f3cb2195d4ea24c642bd28c04a04c2144fe | 0 | 0 |
| Potentially Suspicious GrantedAccess Flags On LSASS | Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | ed9636ccdbf53d675f6ffecccee23b849237a42f01ec09ad9ebf4ac4ed4a3afb | 0 | 0 |
| Potentially Suspicious Office Document Executed From Trusted Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 060b2eb17a53682999ff3ccaec21d9099a3bc8b7930156ecfb264f85e9ebb895 | 0 | 0 |
| Potentially Suspicious Self Extraction Directive File Created | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 9542d319b698f342b537a6e0f25abd10a20a18e2559e3bab788fd26c354d88b5 | 0 | 0 |
| PowerShell Base64 Encoded Shellcode | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dbe1887e879ebc1177cca950ec8a82a43b96e7015767750a0118dc61344ccdad | 0 | 0 |
| PowerShell Decompress Commands | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 40fcac117060a3b800bb902b404dce3cc30abc9822159a68c7414603e70e131c | 0 | 0 |
| PowerShell Decompress Commands | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 46f9d269c8a2f1c1c268482b8f189bfcb71e5f354e01cbc485f42aaa02be9a64 | 0 | 0 |
| PowerShell Execution | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 77eafc1cb5e5d7dea37874133cea2270c0c4189a07aa4cf039207c99c17281fb | 0 | 0 |
| PowerShell Execution (Potential event manifest tampering) | SecurityJosh, Roman Ranskyi | SOC Prime Threat Detection Marketplace | f2ffe839a68caf5469d7f0c6bba1649431891460f9c08271507f594cb5080470 | 0 | 0 |
| PowerShell Get Clipboard | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 8a27ef77773c5b6e0ce2da04cdccf4f14f01015bd4dfadcb9f07ab0905d766a0 | 0 | 0 |
| PowerShell Get-Process LSASS | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8fecdfab629105e4822e49c9dae2daf531f93b9b9f4a90cb0ba780ea4a09adac | 0 | 0 |
| PowerShell Obfuscation using SecureString | Den Iuzvyk | SOC Prime Threat Detection Marketplace | a885d4a4024ecfaa6ba2d4e707d9c8f3f22ff62b6990332557b511f2f8dd3198 | 0 | 0 |
| PowerShell PSAttack | Sean Metcalf (source), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 229ea6fc4268ad28126e92f6f1ebd4679c50f3be77030a58b60af12fa0ef8eb3 | 0 | 0 |
| PowerShell SAM Copy | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f82541606097e898ede6da39077c7fe527c1fcd403d041ebe375f28d5f4339fc | 0 | 0 |
| PowerShell Scripts Installed as Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 1364ad75b0dc2267d0c0662c954f3be5c9215494cf31c1e20fe403ea6c3e83c3 | 0 | 0 |
| PowerShell Scripts Installed as Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 445aaa2d9f84a2f2f097156daf5b3f2cf8034d25addcd37e1889105ca6dad11b | 0 | 0 |
| PowerShell Scripts Installed as Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 467dfca5cc97071e4d713c6a6403209934b96ad6317643eef8e56b83b8134f8e | 0 | 0 |
| PowerShell Scripts Installed as Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 6f49f2ed2359b28b3bbcce4b12451150c3c512387446684ad0f02ffa5ca11b5b | 0 | 0 |
| PowerShell Scripts Installed as Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 8ccccb7310714bae7f496aec46cc573dd0bc8f2794b820a3070864fbdb99fdbb | 0 | 0 |
| PowerShell Scripts Installed as Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | f1c32a70362f7ed2aa5c0293edb9c51408a0bdb4a1d93b8f101b2d7c38590993 | 0 | 0 |
| PowerShell Scripts Installed as Services - Security | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 2cc62e06802026a69ee67d8dbae18471e27c0c724a1733602613735fb6fd72e5 | 0 | 0 |
| PowerShell Scripts Run by a Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 014598477a00db3dbeee84e541504e310712bfb7380fe0f6c18921580f829d4e | 0 | 0 |
| Powershell IEX Download In Base64 | Joe Security | Joe Security Rule Set (GitHub) | 47700446a254048704b602b4820482299b526c610cd8cfa3a164f19784195ba9 | 0 | 0 |
| Powershell Launched By Winword | Joe Security | Joe Security Rule Set (GitHub) | ed5457ba384a36ef60723b4fa6a186fb0048d8947aa3ad64ee30284ed1b8b658 | 0 | 0 |
| Powershell download file and shellexecute | Joe Security | Joe Security Rule Set (GitHub) | f5d1804b36d00e52057d36ac92f04d0f6434083c9a000d916380a1c01f1c01c2 | 0 | 0 |
| Powershell load assembly from internet | Joe Security | Joe Security Rule Set (GitHub) | e4b3ed1b620f60e713a7faf984b8fa2b870914dfe494ac56f99bffbb5133e11f | 0 | 0 |
| Powershell load assembly from registry | Joe Security | Joe Security Rule Set (GitHub) | 5388b2590b9ed2f4d530c9eac824a7ddde5512e4224c1a64b5a6da98fee0fbeb | 0 | 0 |
| Powershell sleep and launch executable | Joe Security | Joe Security Rule Set (GitHub) | 1f9a2d4cfcbbab989273e05d81a5ab3ca1e580cddc3b839707dc19d6731f93a9 | 0 | 0 |
| Powerview Add-DomainObjectAcl DCSync AD Extend Right | Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat | Sigma Integrated Rule Set (GitHub) | d52fe14049b24733e329f274322c156982d55e21e66e25758d8e7bc91aa8c4fe | 0 | 0 |
| Predator The Thief (command-line detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1f8699a3474b828805b77c6ed86f5b86087391365eed233992d6ac3d289bc822 | 0 | 0 |
| Predator The Thief (command-line detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5422d5ef2c42f4981afdae1e5ad6c5159df8099190c17da497f76919f0cfbcfc | 0 | 0 |
| Primary Refresh Token Access Attempt | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 507efff36f4d1d9578bbca3e86a88ba66d63fbf8351024fcc49c8163a50d904f | 0 | 0 |
| PrintNightmare Powershell Exploitation | Max Altgelt, Tobias Michalski | Sigma Integrated Rule Set (GitHub) | 9994b75f6dfdb006404fdee33726452e641b8b07bbd4b6c79f61249f3ef3c1d3 | 0 | 0 |
| Printer Service Modification | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 16ca1eb37f09dfe266d2553018aa5c7f236b3fe27572ab1215a0f4fa1302f765 | 0 | 0 |
| PrinterNightmare Mimikatz Driver Name | Markus Neis, @markus_neis, Florian Roth | Sigma Integrated Rule Set (GitHub) | 093a9d8f83c2689c873979bf87e2d4d8082037d9d782bf32ca870205e3992ffc | 0 | 0 |
| Privilege Escalation Preparation | Patrick Bareiss | Sigma Integrated Rule Set (GitHub) | 9a8a7c1b00c147f05b82612499df919b5a2fd429c3bb0c64866b947ab39671e8 | 0 | 0 |
| Privileged Account Creation | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton | Sigma Integrated Rule Set (GitHub) | e861a14f2c52a51bd98832bb13bd1ed6707da37c1e16677ca79b9c7eabf23459 | 0 | 0 |
| Privileged Container Deployed | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | 37617159af5873c5fc3955e5961f3215a6fc68872c73ca903d1491d48808423c | 0 | 0 |
| Privileged User Has Been Created | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | f557dad53a5d5cb35f9e758c0849c8fa86a6d79823278d1cf2dc1c20383d1139 | 0 | 0 |
| ProLock Ransomware Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2b9a1b8b36ad0dcdf24999b97bc2c86059ce3203d996f676ee280fa946653458 | 0 | 0 |
| ProLock Ransomware Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7a7f19c4b3dd631c48ffccc302c2a36f81088073798fbc563b9c645f20f5fb19 | 0 | 0 |
| Process Discovery | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | 0085bf33f8f7fe01581d6bf7c6463a6396d9843436e5c10f0da6186171d0b9c8 | 0 | 0 |
| Process Dump via Comsvcs DLL | Modexp (idea) | Sigma Integrated Rule Set (GitHub) | fc647ef855e070dd8c71ac9bee02eb59a9124eded234012d31fef82c72b8c1b0 | 0 | 0 |
| Process Execution Error In JVM Based Application | Moti Harmats | Sigma Integrated Rule Set (GitHub) | dfb2e4a4a0450400e94d502497a2fc43e3d603704d680cac03f5c15c392418a1 | 0 | 0 |
| Process Memory Dump Via Dotnet-Dump | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f8d54c64dfd2f8b6616c664df28444b2fd67f01d8bbd65a847865fcb86e7c723 | 0 | 0 |
| Process Memory Dump via RdrLeakDiag.EXE | Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5cdfd68738b7b527a6fe7958d3484f9854aad921a6148f39e7a6851417647792 | 0 | 0 |
| Process Memory Dumped Via RdrLeakDiag.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2d7bbe44a845a98779776b889cc1c74c4e424725151f7aae9eb73be3b70f4dac | 0 | 0 |
| ProcessHacker Privilege Elevation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2149649a6e304c127fc371a6342964619569b0ba1bcd812d2381173324736db4 | 0 | 0 |
| Processes Accessing the Microphone and Webcam | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | b956cdd9fcde5ccf08a7776e2989b0bfad944b79dd75e20c11d38bb24dbfbfc6 | 0 | 0 |
| Processes accessing the camera and microphone from suspicious folder | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 7b3cfa10cc9723d7c4fa50a1b3b77c1b9689fe594822023e09771ed6cbdce53f | 0 | 0 |
| Program Executions in Suspicious Folders | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 22c7d8bc06e4a35a3045524848896a9e21533b194fcdbca7ed641a2a8fa7a4de | 0 | 0 |
| Protected Storage Service Access | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 67aa4f89c2b8f751b7be7a7123233e4baca5464a20c273bfce1d81fcd1589781 | 0 | 0 |
| Proxy Execution Via Wuauclt.EXE | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team | Sigma Integrated Rule Set (GitHub) | d8bd87c5bebb059ab6031d2484dd86fc3c0f14c4dcadd27895205b1267ab7658 | 0 | 0 |
| ProxyLogon MSExchange OabVirtualDirectory | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0c6a87dbb998eae574f7a8317bcb860cd4acabdaef209f25c80bc5fb2e54d5af | 0 | 0 |
| ProxyLogon Reset Virtual Directories Based On IIS Log | frack113 | Sigma Integrated Rule Set (GitHub) | bd2871cff93ff62a864fd7b4e13617d202605e22089c562c84540f8a8d25392b | 0 | 0 |
| Ps.exe Renamed SysInternals Tool | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 508460a99a052814512ff212e0f6f3bb5e1d3de21c79ff3e24f6d05463448b1d | 0 | 0 |
| PsExec Pipes Artifacts | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | d5a93fd832fa665cec13e7681c2db65b6feb3c719a2ea43cf408a884503fa0b3 | 0 | 0 |
| PsExec Service Installation | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | a140e6a4ca5fb32569012656b50cf8d077ed195688bccda1b6cd6a7bcc32aea0 | 0 | 0 |
| PsExec Service Start | Florian Roth | Sigma Integrated Rule Set (GitHub) | 7e4741cdaf6a396a8d975ad542687436b6beda2f0282db17805ebf9b52098289 | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 0846916c3d5af2a322cf42210119c1d28945f9733c842830a4caf16597462ac0 | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 1518bae3460d45d1166480cfdbf8f19603549ebe5930c037d7001c15d30c322b | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 4b9b15bf02c7c8b9fd6f4a020a6318957101b14776b4e6ab6375abc57ce2d101 | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 7f0d5bf894afae6dab8a011197896b06675a9c3089b1b1ffffc6efca6e2eae29 | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 8cab50a6d456060d4de01cc18fbe85b349cefb689386336cc8fe05f8854c9f31 | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 97af35b4172a9333d69b01cdb4d6c6f7b49b0f0d665b4bd4c66b4a3bb793547e | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | b677aa8615b26b7047d758b5e937e92d67219dafb0f4168698b819a2fd7dd925 | 0 | 0 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | cbdad3dc58dae0d5b7ccf82a897b981e992a31f8f2a45d86fb8554c1c5bafdb4 | 0 | 0 |
| PsExec Tool Execution From Suspicious Locations - PipeName | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 849c3c78b941ab4dab9f45aaf26d961a2e8030d6ad5edcce51fb665a1ca0c64f | 0 | 0 |
| Publicly Accessible RDP Service | Josh Brower @DefensiveDepth | Sigma Integrated Rule Set (GitHub) | 84b66d47b8f699ef0111cfc0d68cdc2be9451bc55091156ee5cbb23cce133b76 | 0 | 0 |
| Pulse Connect Secure RCE Attack CVE-2021-22893 | Sittikorn S | Sigma Integrated Rule Set (GitHub) | ab8e48d7ca9cf33f92ac8c77e2ba4f029ae209d2bc21b576b7d3870ff51a9215 | 0 | 0 |
| Pulse Secure Attack CVE-2019-11510 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a4eac94c575b5162661af9888cf6bf6e1c6b2765b9129be15a313f4f596de87b | 0 | 0 |
| PwnDrp Access | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3c12c79f550c4f0f3128094db8b532ddb7997afc5d22889d546ed3c68317e67c | 0 | 0 |
| PwnKit Local Privilege Escalation | Sreeman | Sigma Integrated Rule Set (GitHub) | 063047aaaa5a444ae30399fbd344970fa1ba8de23905f8fd009f6a04624e794d | 0 | 0 |
| Python SQL Exceptions | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | c355e46fd180c68033fae6aa264ce176fc46107a47b4ad0a22812ae40f1fd65b | 0 | 0 |
| Python Spawning Pretty TTY | Nextron Systems | Sigma Integrated Rule Set (GitHub) | 9d935ffebc9ea6afd4785a686eab56350dab3324b761c57a75fd429ccefd7a3a | 0 | 0 |
| Pyvil RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1946000b4b23e17072b4e16f69f6d214b8cd744492cfc3d809c91c0250a9329a | 0 | 0 |
| Qakbot Uninstaller Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7885bffc96d4acd43e379541a35e00f1ea7757d9e2b46ca5b45ef5d6458adf64 | 0 | 0 |
| Qealler Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2d552bed0d3218f870cdd17abb035a0f71ec2c158035fe612e2476aec61930f4 | 0 | 0 |
| Qealler Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c272bf0614a45f345c008e393b47040de6ef75f4a3e3494853f36aa9768f0736 | 0 | 0 |
| Query Tor Onion Address - DNS Client | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 76cc73e374696ea0a366a34cf357d06863e53886014404e8257d8a1b95893623 | 0 | 0 |
| Query Usage To Exfil Data | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 96f2931025ffc4a127c2844a00a39d318b1070e8b6327244cff3371de2ffea71 | 0 | 0 |
| Quick Execution of a Series of Suspicious Commands | juju4 | Sigma Integrated Rule Set (GitHub) | ed973bd3154186b4b9179b400d5cad9f28291698fa066588f22e9cc1fb5f8ed9 | 0 | 0 |
| Qulab Trojan (Covid-19 abuse) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 15e1323de6b754fd8ed09a65a9756cee2a8cab604d50013ef15dfb651b0154ef | 0 | 0 |
| Qulab Trojan (Covid-19 abuse) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 36a825331394fd916bee36fdbd94d6fc383f14774529b3c9facc40eb7f1ad066 | 0 | 0 |
| Qulab Trojan (Covid-19 abuse) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 82a3dfab9619a2d77e3d28664ef300769a61d65c3e3b1739dda336dc4af6cee0 | 0 | 0 |
| Qulab Trojan (Covid-19 abuse) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 88c142bc27fcc02afe262a8b8b280ab0acb99f4224c53fcbcaa33db318bc8824 | 0 | 0 |
| Qulab Trojan (Covid-19 abuse) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d2fd35d9e091008717a1ddb2ba521ecdd25ba3b5491c719179b54b0b099349cb | 0 | 0 |
| RATicate Group behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d107f1b47b43fc725572a5dc8b69c66ee12cc6062ee0a67c4a35ac7cb778d95b | 0 | 0 |
| RBAC Permission Enumeration Attempt | Leo Tsaousis (@laripping) | Sigma Integrated Rule Set (GitHub) | af423b03abecfef860464c8af46fae7cc2987651d251f27cbd41c77ec2ecfd09 | 0 | 0 |
| RClone Execution | Bhabesh Raj, Sittikorn S | Sigma Integrated Rule Set (GitHub) | 5c18d54d0d1977fcaa16d7b119948395edb249365b6c767ea18e95c6b44204a5 | 0 | 0 |
| RDP Dashboard (Overview Query) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 71a226733f7f12aa303328c542409ef9b1016c750c4a8f78c86a615e3da3cf6a | 0 | 0 |
| RDP File Creation From Suspicious Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3f973e695640f51f0a956113bb198bf96115be3d8efc02dfd38f6e5d088658d1 | 0 | 0 |
| RDP Hijacking. Last logged-on user changed. | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 5af33fb9edf5af983870138dd17270a22ec3c4046fa58eb0a27c209c5951b03c | 0 | 0 |
| RDP Hijacking. Terminal Services Manipulation. | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 3d69986e07af4e5398ea63ef3256bdbbd6215aa1823e591de5088f16896f0c5d | 0 | 0 |
| RDP Over Reverse SSH Tunnel | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 0fc2c398ce1141e654d51055a3df9803bd5e0031fec24100cf28a042b9b9df0a | 0 | 0 |
| RDP Possible Non User Login, Abnormal Screen Resolution | SOC Prime Team | SOC Prime Threat Detection Marketplace | ff0ab5b6cd3ebd7aeade8aa8b55790d7096ac7ba96d54a8ed6587d0c5f25da39 | 0 | 0 |
| RDP Registry Modification | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 7aaf54115e7c0d8450b858520101c04264b58e033da253ad20a672a00b52b5ae | 0 | 0 |
| RDP Sensitive Settings Changed | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | c1a07dc6104bfa9dcd638f1c9f04504dafbbb28fdf3a4f36dc6af48802194787 | 0 | 0 |
| RDP over Reverse SSH Tunnel WFP | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 9ac83d94dd47e5c8ac03b8678d0569ce163716d072aa690ee44b67d5ae12510a | 0 | 0 |
| RDP to HTTP or HTTPS Target Ports | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b8403bd1b6574c14ce1493e5f5de4e00d30c999ff9cee5b9999cfd3af6754e5 | 0 | 0 |
| REvil Kaseya Incident Malware Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fc2108a980d79a05e920b28c15d995fa0652a1dda317ce1fa22da44d694541d3 | 0 | 0 |
| RMSRemoteAdmin | Joe Security | Joe Security Rule Set (GitHub) | abb330cf6694939eee00022cc1eadd65b14603c20a76a3c590d95ef23c61b22e | 0 | 0 |
| RTCore Suspicious Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 403b0a2a2b9dd42ad41302ae9b660d4d26e2c3656250fc4443de7a6064387c74 | 0 | 0 |
| Racoon malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c5bc56057878575689e1e8062054f20ea3f118c0e52f17403445a2bb339ea3f9 | 0 | 0 |
| Racoon malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ef297eac8d295b521dbb1e207df57db1a1e62453c926eed3fd6bfc9460b6f6ed | 0 | 0 |
| Racoon malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | fece10118d7e85693008b838c2f78dbaea6c1f125c622c3dbede3df3d3e401e0 | 0 | 0 |
| Ransom X Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 016eb94fa1071faeb02a09e52d8d7e64b3702d3e8cdbb12683eb99da9b3b4889 | 0 | 0 |
| Rare Scheduled Task Creations | Florian Roth | Sigma Integrated Rule Set (GitHub) | 95b4be8473d9667e7c486d85a5a38d5d2a0fe7d4716c86448e7f15cbbd167c80 | 0 | 0 |
| Rare Schtasks Creations | Florian Roth | Sigma Integrated Rule Set (GitHub) | 52bcf8d53a2e9861ebf212d6fb5c8c8000ff4ad6aef25806a201b8115c7c5852 | 0 | 0 |
| Rare Service Installs | Florian Roth | Sigma Integrated Rule Set (GitHub) | b4520bca6240f5cea8758ebfe31a5de0d007fb4ee971d1504eb4afaf9aaaf107 | 0 | 0 |
| Rare Subscription-level Operations In Azure | sawwinnnaung | Sigma Integrated Rule Set (GitHub) | 73526ac545356edf8d7771865258ba2671d34ed6c9c1e4e89dda4f64833fc5ca | 0 | 0 |
| Rasautou.exe execution. | Den iuzvyk | SOC Prime Threat Detection Marketplace | a34ca7a1c15bec9b90de6c46395088c6d253b54b770a60de680af7cd9943c085 | 0 | 0 |
| Raw Paste Service Access | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | df29e480a1da07c9864f41b5f7bf34765c1d2ea9af15046dd3aec14367536f8f | 0 | 0 |
| Rclone Activity via Proxy | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 2e214e304ac2df75080e9a16298177ab81a6aca44143bab0ee894a4118e0e324 | 0 | 0 |
| Rclone Execution via Command Line or PowerShell | Aaron Greetham (@beardofbinary) - NCC Group | Sigma Integrated Rule Set (GitHub) | 1f67c2169d6cb6e70c9bac22b944ff64fa959097dba5e8b963852d6c58fc8e1a | 0 | 0 |
| Read and Execute a File Via Cmd.exe | frack113 | Sigma Integrated Rule Set (GitHub) | b711425de1432e74de57cdd7e431ffa5538e3e182e4d3a240d3b43307e91b436 | 0 | 0 |
| Recon Activity via SASec | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 91406863070d5d2bd89753daf362eb0a0bfc365a80daebaf4d62a52a017628d9 | 0 | 0 |
| Reconnaissance Activity | Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community | Sigma Integrated Rule Set (GitHub) | e4f2c05322c3be28c50da39003b02312523eac5e2b83bf820349a063d6e18167 | 0 | 0 |
| Reconnaissance Activity with Net Command | Florian Roth, Markus Neis | Sigma Integrated Rule Set (GitHub) | a6adbabf733244eb498c551ed9ba1387ba2997a06332e517c89b955160edea9a | 0 | 0 |
| RedLine Stealer (COVID-19 Campaign) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1d84ec4dfb91d5af2a7692cc37b5fe558279fe33b3b6ae373987f71ba7df5e8b | 0 | 0 |
| RedLine Stealer (COVID-19 Campaign) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4f3bb7ac672f51adf9d944139cabbb66f52ef10a9abcfea24b65ba3c1cfc1252 | 0 | 0 |
| RedMimicry Winnti Playbook Inject | Alexander Rausch | Sigma Integrated Rule Set (GitHub) | 13e4345b125509a08fb73bfaf0cf1f2320148020c7e45ab1cf8b47ef011db176 | 0 | 0 |
| RedMimicry Winnti Playbook Registry Manipulation | Alexander Rausch | Sigma Integrated Rule Set (GitHub) | 86b53f7f939e5987f63a77e6b31ad7f58f28592bead63b31894216d116ecd120 | 0 | 0 |
| Redaman RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1544d96bd9a34be41d2e2c976346e9c6ced04c82b6490ad0606f48640531400a | 0 | 0 |
| Redaman RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ef28bd95f54d82f5f8245ca837359781d3cfb48f7f3e7401ef6bbebff3dbea8e | 0 | 0 |
| Redaman RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f43a2b6a6d965289e8bde09c684b476bca7c77b88f1f4ed4f95a687d394b94ac | 0 | 0 |
| ReflectiveLoader | Joe Security | Joe Security Rule Set (GitHub) | f972e2d6ad7812da19ebfc6d0e73c5dba52f470a48646159facd3ffa24e4d8df | 0 | 0 |
| Register dll at autostart location via regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 6e3d105ee67957d16975a4ff8dcbbb38b9c8dd21ccd2dc07e9c194a6c153ba98 | 0 | 0 |
| Register new Logon Process by Rubeus | Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | f7cacbd7c0676adf78318bb6d9de688bc97c4aa69d5afa2f1d55866ce06b3867 | 0 | 0 |
| Registry Entries For Azorult Malware | Trent Liffick | Sigma Integrated Rule Set (GitHub) | 4ad66d0e46670f58101e391ac2d114fc7e3b06243c7b81888faf05840934d168 | 0 | 0 |
| Regsvr32 Network Activity | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | bcbb15efbb568b9a302a100e8cea3e019b9b8d04fbcd5d17a4439b424fe30e59 | 0 | 0 |
| Rejetto HTTP File Server RCE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9d25e8f3b7a408cce3020ec891aa2c9d254d0bb95c93a745e52ec2873b33d7a4 | 0 | 0 |
| Relevant ClamAV Message | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5105b3bed3732f01c5689b867054b8ff7c5645b8ef18842d89506409437037e9 | 0 | 0 |
| RemCom Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 94ff4e1c11f1bf5be4a8869812feb2932fabd4cc5e49880fbd6fe0f69deb3133 | 0 | 0 |
| Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 34f0db47e8b5676494bd567d6dcefc056f586f53e54cae216f839a0edbda0022 | 0 | 0 |
| Remote Access Tool - ScreenConnect Command Execution | Ali Alwashali | Sigma Integrated Rule Set (GitHub) | 119f6fc00b16937e65f95d63f6b9b37cb054fcad68f3774c227967ef50e4e246 | 0 | 0 |
| Remote Access Tool - ScreenConnect File Transfer | Ali Alwashali | Sigma Integrated Rule Set (GitHub) | ad690d55fec7c8db17c717e335f9ec49638a68595e03fd7b694234ccd21a2831 | 0 | 0 |
| Remote Access Tool - Team Viewer Session Started On Linux Host | Josh Nickels, Qi Nan | Sigma Integrated Rule Set (GitHub) | 6c2edf77f04c7ba0c3638548a556ff8b389023df182d1550e0180512d7244d2f | 0 | 0 |
| Remote Access Tool - Team Viewer Session Started On MacOS Host | Josh Nickels, Qi Nan | Sigma Integrated Rule Set (GitHub) | 3c4a5af05488455cbbc622e1b3dcffe7b7f3894e37e6209d81a162115a1ce002 | 0 | 0 |
| Remote Access Tool - Team Viewer Session Started On Windows Host | Josh Nickels, Qi Nan | Sigma Integrated Rule Set (GitHub) | 9d82f797fb61b3b2f1f6f4178877e646690abed4bef54b954f510ceae314cae8 | 0 | 0 |
| Remote Access Tool Services Have Been Installed - System | Connor Martin, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 34d687f60f7081819f22b40f767564ddb3f05dba154f9bf5b54b294790adf12b | 0 | 0 |
| Remote Code Execute via Winrm.vbs | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 38b612a88929aab8a1ee49b6e7616c06ee06da5daeb4e09a215f9c865d870910 | 0 | 0 |
| Remote DCOM/WMI Lateral Movement | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 76151d6bf2fc3c0b97c2fee917e1a0080357b46b16489662b6fa8263e0496e2f | 0 | 0 |
| Remote DLL Load Via Rundll32.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b54d8cf49ff7956497c3752537e0cfeaabc7024d7d9fca9d241be6642ecf992c | 0 | 0 |
| Remote Desktop From Internet (via audit) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 96a069aeb5c6003d5e4ffe4aaf6d30be7b05d356c661367a348514a7c2c5beac | 0 | 0 |
| Remote Encrypting File System Abuse | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 96236156e2ee08a2c6488cad57235da4ac1f1668452f6d3dfe12cbc63561e4e3 | 0 | 0 |
| Remote Event Log Recon | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 084e455e139db853ab3b4ab4ab764b1175dafc7b984e75b97342170f20ca55c7 | 0 | 0 |
| Remote File Download Via Desktopimgdownldr Utility | Tim Rauch, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 007d500df65d3b4648dd4b2a4ac8f56d68be1fd30cbdaa49b85a4562e30045a4 | 0 | 0 |
| Remote LSASS Process Access Through Windows Remote Management | Patryk Prauze - ING Tech | Sigma Integrated Rule Set (GitHub) | 847efb8ac13cfab516079fc4fc864f42a81274705a40c71c2e343e3ff59586c4 | 0 | 0 |
| Remote PowerShell Session | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 48a36a2180adc9f076d8a15c870bb4583783f4984a012d21d17fe64439511244 | 0 | 0 |
| Remote PowerShell Session | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | d2a86c0c533d4197640ec3742c4054be9017d215efd16a8d462456a23db8a109 | 0 | 0 |
| Remote PowerShell Session (PS Classic) | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 3c98610bc94a5c8803f6eafb310dc123666199b4a9df90abd38486461927a020 | 0 | 0 |
| Remote PowerShell Session (PS Module) | Roberto Rodriguez @Cyb3rWard0g, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 1cef3fd3818cc81e0b14412af94c6998bf6abb8a8d1f5ea344f2457a1f880d4c | 0 | 0 |
| Remote PowerShell Sessions Network Connections (WinRM) | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 6590a6d9a0f48ca7180efed5cdf2aadb0d828795034779b5860a47b16c811835 | 0 | 0 |
| Remote Printing Abuse for Lateral Movement | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | c1395541e69b13da1cc1035bd62879eeb1acfc7c1f1a9893f15c9b59a1c28e79 | 0 | 0 |
| Remote Registry Lateral Movement | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | fade93fb2f758f1a6346aca4b7934c0341cd25ebab27572619bc172b71009a7d | 0 | 0 |
| Remote Registry Management Using Reg Utility | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 89100186dc0ee80d9ed100f7046a9a131a40270385fdcd8994b102aa36f06ae5 | 0 | 0 |
| Remote Registry Recon | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 0da2bf3f60f78c0157fba802e07c3429c2db9548a0013bf3b3d2fcb972c63c67 | 0 | 0 |
| Remote Schedule Task Lateral Movement via ATSvc | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | f0e4f6d27b4fd5dc309f86da16647af515cbdf3ff8216f8cabf86bfc4257419a | 0 | 0 |
| Remote Schedule Task Lateral Movement via ITaskSchedulerService | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 701f035f5884ee4e19bd1ff43cc70cf5d5e81841ee79396985c6c44acdfd08ef | 0 | 0 |
| Remote Schedule Task Lateral Movement via SASec | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 9e297ca71464dc800ebb88178374050e41c76cfa93ca53b1c1ac7112ca2a59ae | 0 | 0 |
| Remote Schedule Task Recon via AtScv | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 646f3e37fe63b5b63d5c4d10d4924628a4bc2b065df2a3ae0a56e0ba7bb881ae | 0 | 0 |
| Remote Schedule Task Recon via ITaskSchedulerService | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | b783f32d9efa0aebfdad80828d907141658b4b1480d1320fb76eb660d70e23ca | 0 | 0 |
| Remote Server Service Abuse | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | da75ed5683633515c46fa481740b55f4522cff9f091d422bae1f247e45ce571d | 0 | 0 |
| Remote Server Service Abuse for Lateral Movement | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 934211e43314d94ed7f6c8efc2244f86909a5b8f30ce068d411a1112499fc69c | 0 | 0 |
| Remote Service Activity via SVCCTL Named Pipe | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 046ceb0cf9b6078b4d6bd583847ee8a30ecc082fb018cd5de8af33d9203a2519 | 0 | 0 |
| Remote Task Creation via ATSVC Named Pipe | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | fde467e8c3cd6651030d60821479ab66e029e1c6541daa5a16b3611959c7b529 | 0 | 0 |
| Remote Task Creation via ATSVC Named Pipe - Zeek | Samir Bousseaden, @neu5rn | Sigma Integrated Rule Set (GitHub) | 236138dfbc31327293697d57944480418437a91071cb427e4f48f5755f2319df | 0 | 0 |
| Remote Task Creation via ATSVC Named Pipe - Zeek | SOC Prime Team | SOC Prime Threat Detection Marketplace | 92258356e34556c631e9519ae4be82df3ecb4ccaf390d03c459a5df6a3705804 | 0 | 0 |
| Remote Thread Creation In Mstsc.Exe From Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a66219b9893f218ea353a3d8a78dde7723ef124a5c44bbd9cebee2c0dbcd54ed | 0 | 0 |
| Remote Thread Creation Ttdinject.exe Proxy | frack113 | Sigma Integrated Rule Set (GitHub) | 189197a49d8126294ed2c23b20893779206b4782cc2551afbbe1722f1d678531 | 0 | 0 |
| Remote Utilities Host Service Install | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 049536c134b08489b2b3df8a57a3964bb79a0d00ed73127a72a8a0fa8979dd5b | 0 | 0 |
| Remote WMI ActiveScriptEventConsumers | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 820499826df98e19e14c24dac63db285b19863b3c8af168e63e83a6df9d864d8 | 0 | 0 |
| Remote XSL Execution Via Msxsl.EXE | Swachchhanda Shrawan Poudel | Sigma Integrated Rule Set (GitHub) | f06fd682fbbc36afc396827d0dbb64111adce81986a9e0c99fdb0eb993c160d1 | 0 | 0 |
| Remote execution via sql extended stored procedure xp_cmdshell | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 375cb93c2bb69dad51d360b1936e69ba1b68424e34970ff0b9b9c6b9c98f989f | 0 | 0 |
| RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses | frack113 | Sigma Integrated Rule Set (GitHub) | e78750ceeb186d5ea5bbcfb7f9ba741b6d8d9978b25212d97a252621b5af87cf | 0 | 0 |
| Remove Exported Mailbox from Exchange Webserver | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bdfd4f3c151a5adc98ef77f6ac75cdfd440bb51043d01c27b94e2a5a63f4f4de | 0 | 0 |
| Remove Immutable File Attribute - Auditd | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | e28706c6a53a1d6ff572114998015648c27e89167c10379905d0cbc361712d41 | 0 | 0 |
| Rename Common File to DLL File | frack113 | Sigma Integrated Rule Set (GitHub) | 5751a067fbf836a0ec2042f15f744ef655cdc2ee27881317888cbe4b90cd6e0e | 0 | 0 |
| Renamed Gpg.EXE Execution | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 5a49ecd7f952fdc3a8c06f737a883ee952fc5bdce4fbd1f2d5aa5025ad061150 | 0 | 0 |
| Renamed MSHTA launching html | Joe Security | Joe Security Rule Set (GitHub) | eef2c27cd98b92f6ac98d5b6fa781fc1ef9fcb1fc12f0e72db41aa0308a33ad7 | 0 | 0 |
| Renamed PsExec | Florian Roth | Sigma Integrated Rule Set (GitHub) | d266707276cd7f46b3d33b3a78f17f69e9160d8f795bf07d8c7020b49aad1da3 | 0 | 0 |
| Renamed Visual Studio Code Tunnel Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5af3ca2fabb1cc81f223ed0b11170ee66082573a935c386243fb2f002424e947 | 0 | 0 |
| Renamed VsCode Code Tunnel Execution - File Indicator | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3467d11ea5d66414bef93a224daeb48123de2243dd60cb03ca3254bcef0a881b | 0 | 0 |
| Renamed ZOHO Dctask64 Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0d4118d9a3bcc02c529a5322214c7e45fc4ad36aec272ddc3772230315188701 | 0 | 0 |
| Replay Attack Detected | frack113 | Sigma Integrated Rule Set (GitHub) | 1113406498002581ef054c392e090b7b400cc3e0301119adfa080cd98c499f9a | 0 | 0 |
| Restore Public AWS RDS Instance | faloker | Sigma Integrated Rule Set (GitHub) | 1a859b52b21821dc4f0a817ce7326759948e5b2065d00479202bffad5175fc08 | 0 | 0 |
| Restricted Software Access By SRP | frack113 | Sigma Integrated Rule Set (GitHub) | a0d00057a0c01bda531d1c9a53a1b51c8167ab1a8a2c4d9d465e44832aef00a0 | 0 | 0 |
| RestrictedAdminMode Registry Value Tampering - ProcCreation | frack113 | Sigma Integrated Rule Set (GitHub) | 5075a0208eb230de355c4c0125a6de311c4310421450c41c6c09a979f9ce0307 | 0 | 0 |
| Roles Activated Too Frequently | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | d2214f29236c45bb4e9449fd45ef39c1e55a6a3aad3c6be8b1ba9108d24412c4 | 0 | 0 |
| Roles Activation Doesn't Require MFA | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | f3fb0037446d788e29e1262d1d15849decc54eb03e834247e69c18ac923a4316 | 0 | 0 |
| Roles Are Not Being Used | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 60ed14e4c1ff20704e2fc54bd659bc4dba9801a0f98b5889fb7c4bb951d31639 | 0 | 0 |
| Roles Assigned Outside PIM | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 9f4e9045c66727a675ca6f6b92e4a56b5622d0e6279fbeb6e5337061dd2512bd | 0 | 0 |
| Root Certificate Installed | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | fde7c67804bf2f25cc674d242987b96bb244126d9568bceb7c9a208193fe66a6 | 0 | 0 |
| Ruby Inline Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4e72a03a2703fcfeb3890299c29d7d61e57b5eb6ed8a9aaf75ee955c0f035e09 | 0 | 0 |
| Ruby on Rails Framework Exceptions | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | b3e15ce29c0578285d8af1d8092873431b79ef0d74202d48d1b55dccaaa861de | 0 | 0 |
| Run PowerShell Script from ADS | Sergey Soldatov, Kaspersky Lab, oscd.community | Sigma Integrated Rule Set (GitHub) | b0a64287d64cf778925e076c13aae743cdb5da1000efa636d98364e0e42edf83 | 0 | 0 |
| Run PowerShell Script from Redirected Input Stream | Moriarty Meng (idea), Anton Kutepov (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | 64fc279e6738ccc6db931977799249729de73acffc5034f83e3094bc34ab2011 | 0 | 0 |
| Rundll32 Registered COM Objects | frack113 | Sigma Integrated Rule Set (GitHub) | 7c35c5e190d2003a2d4041136456fdb91373e2bb241bae4f3e196b6cf9791dee | 0 | 0 |
| SAM Dump to AppData | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cdbc62d2dc895924c046364f27452f287723a2b72efb654ba041280d91f69acd | 0 | 0 |
| SAM Registry Hive Handle Request | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | d98473553a7ba81cf9e2ce17e305853d35be853a95ef549fc405dfa67f646391 | 0 | 0 |
| SAML Token Issuer Anomaly | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 6fe6438e68fd6c9ff792e33bd2c36f00afdb69d926012d0f29682658c996286f | 0 | 0 |
| SCM DLL Sideload | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f591d8827dd487431d191a08c0ef0b3002b70d07e4be97d0eeebe789ec5a6c25 | 0 | 0 |
| SCM Database Handle Failure | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 4b5721fb3c1349a8cd1a6f9e87bed2fef39d379476067fe7fe05c685e4a9a382 | 0 | 0 |
| SCM Database Privileged Operation | Roberto Rodriguez @Cyb3rWard0g, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 30a1135097fc1ebdc8fe0b030918fe2ad05ad4512d17062d8d1920bdd5cfbdbb | 0 | 0 |
| SES Identity Has Been Deleted | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 8489090038621dd5392b648970249cd8c9c766f53b29337d3382719ef8d5dee1 | 0 | 0 |
| SILENTTRINITY Stager Execution | Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | 0f63070b903766c40f1681e44325de9e396c2b6dd03613b2686896de828564fd | 0 | 0 |
| SILENTTRINITY Stager Execution | Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | 8275c8ed59f78788721cb0f9d2fe01fae3fbfd381cd3c846fe2715c4a5f8adfc | 0 | 0 |
| SILENTTRINITY Stager Execution | Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | e20a4ca9a2ec3dbe28c1851ecdb7656f0b386147843cdb3a7f3d749bfb40defd | 0 | 0 |
| SMB Create Remote File Admin Share | Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 8ca9660ea1755b4e1702a1cae3092454355f15fc519799fdb87d3e6839afa23c | 0 | 0 |
| SMB Spoolss Name Piped Usage | OTR (Open Threat Research), @neu5ron | Sigma Integrated Rule Set (GitHub) | 01306ab05e6ee3fec1a74538de482f1e109754346730be0a73742b46a7c7eaeb | 0 | 0 |
| SMB single file created then deleted successively | SOC Prime Team | SOC Prime Threat Detection Marketplace | 7ffa016b10d3241bd89a2006ec066c969c740b97ae3cf7ec5cc91eabf2c6335d | 0 | 0 |
| SMBv3 Compression Enabled | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 5f65bceb308a9da7f66986e86311c701f4f34184d1833cfc7e465767fb18a102 | 0 | 0 |
| SMInit exploit chain | Den Iuzvyk | SOC Prime Threat Detection Marketplace | e0fca2cc0e2ed43fc1a0c7b399ded68159180c4f82074a3f3124e26c3139fc6e | 0 | 0 |
| SMTP Email containing NON Ascii Characters within the Subject | SOC Prime Team | SOC Prime Threat Detection Marketplace | 5b50e56fccf5b9b41516c2fc14cbfb85fad941e5eacb051891a2493db49fac93 | 0 | 0 |
| SNAKE Malware Covert Store Registry Key | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 286b122eca59824270b1adc399c30c3b1f3c68085962301cabed356fac8f308d | 0 | 0 |
| SNAKE Malware Installer Name Indicators | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 18a353fd9b7db6facb29c0c73ebbfd6f4dce4015f7d410371d3509a3d67371e2 | 0 | 0 |
| SNAKE Malware Kernel Driver File Indicator | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c285daef847eb612384249dd8ce4054ccb3b8e877013c7bbc4a958e8c25d66c1 | 0 | 0 |
| SNAKE Malware Service Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a4cc0f73c6009fcd80147af40027b2902c5525519aa27fb56cba802ecf4e011e | 0 | 0 |
| SNAKE Malware WerFault Persistence File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ad153b7af83236ec911a9dea2a21c28c85a22c4a47925296a3dae8cbe4590261 | 0 | 0 |
| SOURGUM Actor Behaviours | MSTIC, FPT.EagleEye | Sigma Integrated Rule Set (GitHub) | 225f115c0a824b3ec735568b05a49394fa6da38bcdc9e2f71661b34a9bde1c53 | 0 | 0 |
| SQL Client Tools PowerShell Session Detection | Agro (@agro_sev) oscd.communitly | Sigma Integrated Rule Set (GitHub) | 8e776e236be945ae976b2513cef49318e8986b57ab334e2a8f2a9968f4a3081d | 0 | 0 |
| SQL Injection Strings In URI | Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank) | Sigma Integrated Rule Set (GitHub) | 7940d1dd84f2a311d67ac511006deeead549c05a4cadaca9908e1071a153106c | 0 | 0 |
| SSH Inference Abnormal Client Activity | SOC Prime Team | SOC Prime Threat Detection Marketplace | 213b04a00fc3394df6cb347b642ceb29f5e7294a1d6d7203e21998962369643a | 0 | 0 |
| SSHD Error Message CVE-2018-15473 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5ac7c90edd2ba8133a86c284d95dae84b58026895599a4943646e0e39367e995 | 0 | 0 |
| STOP Ransomware and Vidar Ransomware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4ae55153d32cc3b88c7e99d12dbcc4db828e7f96ec3ccbe3b8f662ef4d09e2ef | 0 | 0 |
| SamoRat Behavior (sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2fbdd381a1c20671e2c9bd733e716a02c99a470023981c60de3e3402ff08313f | 0 | 0 |
| SamoRat Behavior (sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 60faa771bf16cc7cdbc224436c0b3d9d093455f39f5b6094fe2dc5614ca2b130 | 0 | 0 |
| SamoRat Behavior (sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8a1644eccd8d683fe61a26387c655e1d85bff90b49640b5d8c65940e4e1973d0 | 0 | 0 |
| Scanner PoC for CVE-2019-0708 RDP RCE Vuln | Florian Roth (Nextron Systems), Adam Bradbury (idea) | Sigma Integrated Rule Set (GitHub) | 6b75b0b00b5529a6a6d3fcf1ff03341ca43c3fa7fdfcc055f26dd0ba221f2213 | 0 | 0 |
| Scarab Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 67396c2c1e0ebec89ce7662df24f8bed3f20cbe387e6a2b465188037e579b084 | 0 | 0 |
| Scarab Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e1354c1cc16fda38432e3dd01a191f253341fe937e23156238d85e90d8191395 | 0 | 0 |
| Schedule Task Access or Manipulation over SMB | SOC Prime Team | SOC Prime Threat Detection Marketplace | c155230c5fcc90d90646898aa82112b6f73ac2e0dc430ad9dce7826e28297cdf | 0 | 0 |
| Scheduled Task Executed From A Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 15b780610320e0cfabf2c7f2a3e99c7fe20a876e623b1766cf12e063459a4a1b | 0 | 0 |
| Scheduled Task Executed Uncommon LOLBIN | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6ddcecbde6b55aeeb520ebbf03e191e6d557ab30f54057044b5bc55ec773be40 | 0 | 0 |
| Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor | CISA | Sigma Integrated Rule Set (GitHub) | c8954187d9d21d8eedbeb881855b447aa93d6b5059bb535e561276097048e844 | 0 | 0 |
| Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler | CISA | Sigma Integrated Rule Set (GitHub) | a6e446aea0df0c06f82209e8090a738e780fb85921275f71e955ea8b289811f8 | 0 | 0 |
| Screen Capture Activity Via Psr.EXE | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 959d7cd5c3bea11a5cd183693349bf492efb4f2d787903a7c74a5c24cbc60b34 | 0 | 0 |
| Screen Capture with Import Tool | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | ea2f87ff45a684c78cb46d65af3705037b7721905ce237e6daa335a3fd7b5769 | 0 | 0 |
| Screen Capture with Xwd | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | c3c6c21ad23cac48bdee8d46a0a64de20e48510c5ed1617d23cb328129b7f580 | 0 | 0 |
| ScreenConnect User Database Modification | Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress | Sigma Integrated Rule Set (GitHub) | caa995267b72e6c9534b4b29cf06953f3b30ac6a92293200b6ef29f73e66a5b5 | 0 | 0 |
| ScreenConnect User Database Modification - Security | Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress | Sigma Integrated Rule Set (GitHub) | ff0d812436f093b3eaafe438c81181a7f8d8fed42babe673e7ebd4b0fcb6f330 | 0 | 0 |
| Script Host Engine Modification | Den Iuzvyk | SOC Prime Threat Detection Marketplace | fcd207e8b19603f1d4e5450c04a2007f88780ea51861992a3e346474d646cbbd | 0 | 0 |
| Scripted Diagnostics Turn Off Check Enabled - Registry | Christopher Peacock @securepeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 9274cf922b3625879a3f420c530d8b660107daf65fa7b38b8b5f369fda1f9550 | 0 | 0 |
| Search-ms and WebDAV Suspicious Indicators in URL | Micah Babinski | Sigma Integrated Rule Set (GitHub) | 78505d9583fe31f0583ad71ece5f1245f3f2eefb8905ca8688d9feeb476709d1 | 0 | 0 |
| SectorB06 Behavior (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6ffdda4e9d83f1b99a99568822f16d5a5a458ffccdb25fad469aaf2dbb8f0dd9 | 0 | 0 |
| Secure Deletion with SDelete | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 183ca715ffa97f30b076bb2c8793c0cb64221f3ad05c65fb425e3a38faac3645 | 0 | 0 |
| Security Event Log Cleared | Saw Winn Naung | Sigma Integrated Rule Set (GitHub) | f32dc431e5951341656e9d55c58e0047b56f1beee18a05bd2b1e816ddbd10a17 | 0 | 0 |
| Security Eventlog Cleared | Florian Roth | Sigma Integrated Rule Set (GitHub) | 152b1150f7da94998822f9e55f3591b37d319fd7ce375004d24703a99aa957a5 | 0 | 0 |
| Security Eventlog Cleared | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e20a3a5b38df7ceb5e94712485f6285fdd2ca0b40cf0a5eed31a42bbc779e4ff | 0 | 0 |
| Serv-U Exploitation CVE-2021-35211 by DEV-0322 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 624b1600e93d3b9c6146b0136e00c73c8c809fe24a3f5299cbd4de5d727d1833 | 0 | 0 |
| Server Side Template Injection Strings | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8be6ef597decb64e9ab2582c7dd28a516b83e83d5c4b5850af7a0b6eac340c2c | 0 | 0 |
| Service Control Manager Communication(RPC/TCP) Modification | Den Iuzvyk | SOC Prime Threat Detection Marketplace | b7809c2203acd7e06846efb5d0cddd1ab656f1e9f41b1f1bbff1bf84603a0a48 | 0 | 0 |
| Service Installation in Suspicious Folder | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ecc2d5e13f4048a943326cbda15ec3d934a2379d58b271ad16c46189579f9c7d | 0 | 0 |
| Service Installation with Suspicious Folder Pattern | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb2028325a4f87324e9edcb5b742eda0a4ac7bade1e145f5e58a007aba469d7f | 0 | 0 |
| Service Installed By Unusual Client - Security | Tim Rauch (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 4ae747251f5a1ed8f070b4c0ecfc3352b9da4943765ab946543ffdde7c756baa | 0 | 0 |
| Service Installed By Unusual Client - System | Tim Rauch (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | fdf624a22581cc3c063ae7fd1e4dd1e99a58b3ef843c6986807c58c5ca7b7bd5 | 0 | 0 |
| Service Registry Key Read Access Request | Center for Threat Informed Defense (CTID) Summiting the Pyramid Team | Sigma Integrated Rule Set (GitHub) | 7fa1be381c006dfeba6f964575748edc6519587e19f58682a109bada3be7b59c | 0 | 0 |
| Service Registry Permissions Weakness Check | frack113 | Sigma Integrated Rule Set (GitHub) | 12c54ba61c9b654789342d689a197406cec675bbda5716b7749539b147856e21 | 0 | 0 |
| Setuid and Setgid | Ömer Günal | Sigma Integrated Rule Set (GitHub) | 8c6d633ce7d27d281b8cc113ebb409901529acad5564c5a8758ac987fc31b2b7 | 0 | 0 |
| Shared Webroot | SOC Prime Team | SOC Prime Threat Detection Marketplace | 3dbc7016da1cb9e2f97a1a07a36ceac8fa6a6df1669425785241bc69b0d6d966 | 0 | 0 |
| SharpHound Recon Account Discovery | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | 82d74781c34f25d3963d40a84d98293c4a767dee41198122dbcdc066b41aad22 | 0 | 0 |
| SharpHound Recon Sessions | Sagie Dulce, Dekel Paz | Sigma Integrated Rule Set (GitHub) | fcde4bad2b316aa5c50739fa2789441e354c796e17de4002c9f4dfc70d6b19f7 | 0 | 0 |
| Shell Execution Of Process Located In Tmp Directory | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 2222191f8dbc0e4567d362898966f0d346e7e7390085bc83070b25f0e2d1a43a | 0 | 0 |
| Shellshock Expression | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c6e62a3980f00e65b47fe7e5da5be2a0c6a37bd3ba4b893ee3c533fea9a42f74 | 0 | 0 |
| Sign-In From Malware Infected IP | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 7c2cf63a01529bf63e4ed859c3d334960b8ec287edeb2f3dfa7c3abfe6bfb47c | 0 | 0 |
| Sign-in Failure Bad Password Threshold | Corissa Koopmans, '@corissalea' | Sigma Integrated Rule Set (GitHub) | 6bf6fec1da30b8d431f68ac226d24159012838564f9beeca79a4c213bababf14 | 0 | 0 |
| Sign-in Failure Due to Conditional Access Requirements Not Met | Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 9094c41d2c9288a3a78c9fc7618fd76d15838e94943d4729b7a29b073c5806f2 | 0 | 0 |
| Sign-ins by Unknown Devices | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | 96b99f7206b6b8aca46b96048c5bff459ae8f2155805d43770f16914eb023669 | 0 | 0 |
| Sign-ins from Non-Compliant Devices | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | e58716418a4b598e01a2ba107b73a1510daed3d3576704d86d55dd211cf4b2fb | 0 | 0 |
| Silence.Downloader V3 | Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community | Sigma Integrated Rule Set (GitHub) | 357adfc0bd514a2087509d1a67412a62f8823fd9caa3b6bcb80328828f9ed240 | 0 | 0 |
| Silence.EDA Detection | Alina Stepchenkova, Group-IB, oscd.community | Sigma Integrated Rule Set (GitHub) | 48a4a06b77cb84b45614503f3dd1035f0a83b236c4f840f9feab9be366a47d1d | 0 | 0 |
| SilentProcessExit Monitor Registration | Florian Roth | Sigma Integrated Rule Set (GitHub) | 11ecefcf79daf3998440bd34d870da91d9c7644eb708e0f933349a5ec077fc87 | 0 | 0 |
| Sitecore Pre-Auth RCE CVE-2021-42237 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ad5d590f46596f06240eee4586f7acc7d925fcf0ea9f364266b902bedd614224 | 0 | 0 |
| Sliver C2 Default Service Installation | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 73157d5ea395adeaf1723c8c84248879d4189a305b0c332f3bed48eb0f00fed5 | 0 | 0 |
| Small Sieve Malware CommandLine Indicator | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ee6c995a1e51ef35a2acd3d7fb9a6270865ae48e8e97fb9d5b54d5dbff7ede11 | 0 | 0 |
| Small Sieve Malware File Indicator Creation | Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a5e1682ac1131f69642630802a35b4640016f5c05b8e5f3c79433bfa04ead1f1 | 0 | 0 |
| Small Sieve Malware Potential C2 Communication | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 438093b5ebf25921ae4e01d62578bd2d7f449a265706be0d5e6f0d043ab61afc | 0 | 0 |
| Small Sieve Malware Registry Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a6c980e209ade1d1ed5e1ff396f56524c18e4268c151f397bd45d6b5e8367c40 | 0 | 0 |
| Smoke Loader Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0f0b6b52e3342eb0329e8ff51f0683aa5892c55d6d44aa49fcdbdf0f25761103 | 0 | 0 |
| Smoke Loader Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8d6d3b800ba936bb6910fd8bbf9551207e2288db95a5dafa6474e8a1d2f2d5fc | 0 | 0 |
| Smoke Loader Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d4f0a8b263fcf2d7b93ad451aab578895046944691b0ea3e4379ef1e9ccf7937 | 0 | 0 |
| Solarwinds Launching Powershell With Base64 Encoding (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 30b4784c9d03d78a809bed19df233f6f95fc2c8325b32af97e0b1b8d24c6676e | 0 | 0 |
| Solarwinds SUPERNOVA Webshell Access | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 81250a3a43500530ef04ff62b918cc5690b18cc4d09b4f77315012231acaa8bd | 0 | 0 |
| Solarwinds launching cmd.exe with echo (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 0174ab54fed285f5c38eceee197f8a60debfec2c3aa590604079831c288a9fb6 | 0 | 0 |
| SonicWall SSL/VPN Jarrewrite Exploitation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e272203177abd4fd109dd93ae0e9913836f80a81b43eec0c819720c72843582c | 0 | 0 |
| Sophos Firewall Zero-Day explotation (Asnarök attack) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | abea43cce1ab59b98d083a4bc5077c3e4acd49c745ee202f392405853fd46664 | 0 | 0 |
| Source Code Enumeration Detection by Keyword | James Ahearn | Sigma Integrated Rule Set (GitHub) | 91e80be4f3cb482bed8e242eb9e418e4fee5b1aaf32e61f4ae6d7def7d537d66 | 0 | 0 |
| Space After Filename | Ömer Günal | Sigma Integrated Rule Set (GitHub) | 96dade50824ff0a3a7ba5d5a9abc82419f0df174afff971fe0d7d87e74061785 | 0 | 0 |
| Split A File Into Pieces - Linux | Igor Fits, oscd.community | Sigma Integrated Rule Set (GitHub) | 3adbeb64ee2cc89f2825fbd133547fe3d84aac1ee5d48faaf2375b7c8364f74b | 0 | 0 |
| Spring Framework Exceptions | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | b9855abb1feaca99e5181199bf4d256c29f0150d137ed61e9cef83ce27764295 | 0 | 0 |
| Stale Accounts In A Privileged Role | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 6d400ed2347a68bfd63c4c9a884df17a9b73ea2eadfc65f4d6056d00d13d0e08 | 0 | 0 |
| Standard User In High Privileged Group | frack113 | Sigma Integrated Rule Set (GitHub) | 140f4579c57f055d3465794c871b82107ea1afc8f6eade149c3957e99b7a8d3e | 0 | 0 |
| Steganography Extract Files with Steghide | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 9e28a144fe3121ecd3d91e846d0e1d5fb7be043db90ebdcda4ce1ddc629e0b78 | 0 | 0 |
| Steganography Hide Files with Steghide | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 2bc5697bb7a12c272490c67a3d83002e19dfb4722525786e91a4fba4c8b9ee97 | 0 | 0 |
| Steganography Hide Zip Information in Picture File | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | bb93f264dbaa005c9bc379b7db5eaa5cd680009288c824a9916340aef05188bc | 0 | 0 |
| Steganography Unzip Hidden Information From Picture File | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 100e9962a68f74be52b70ad11285a16a1d1aa29e419831b60158672ee356b344 | 0 | 0 |
| Sticky Key Like Backdoor Execution | Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | baf8cb1a268fb3d9173b5474a184cb8fd04489192832ac12dcd4d826248523b2 | 0 | 0 |
| Sticky Key Like Backdoor Usage | Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 210403ed0765f9206944ba0e7ae9a7fed3b74606aa7d5defd92b45c7565c50b4 | 0 | 0 |
| Sticky Key Like Backdoor Usage | Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 846842612cb81a07c0a4439f34127f7229a040a0618300a962ad5a95316f5417 | 0 | 0 |
| Sticky Key Like Backdoor Usage | Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | bec9d927518cb9af8ee98a6cde08e6a1f05090534e3b3c24e8ced8ae93e15311 | 0 | 0 |
| StoneDrill Service Install | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09c420a38066758c0236577ccb5fd401e138351217d25dbeae1220521c446472 | 0 | 0 |
| Stop Or Remove Antivirus Service | frack113 | Sigma Integrated Rule Set (GitHub) | 7c4cece5b540c72f100dd8b8b7fc1c10727460ec0f36c75249e28ed51d6348ef | 0 | 0 |
| Successful Account Login Via WMI | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 19ef4372b7c2775276ff1cd9b0da8737a7f6e8739d252d7f90e3f3ba296d1c78 | 0 | 0 |
| Successful Authentications From Countries You Do Not Operate Out Of | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | 97943fe57ba127d66118662bbf0978fa8ba9f641660a7e32ae61103ccce8f6e8 | 0 | 0 |
| Successful Exchange ProxyShell Attack | Florian Roth (Nextron Systems), Rich Warren | Sigma Integrated Rule Set (GitHub) | e33130e6f328543f0b8bb35ef1bb2f92e015fe84965c32bf1d82d85dd00e1c1c | 0 | 0 |
| Successful IIS Shortname Fuzzing Scan | frack113 | Sigma Integrated Rule Set (GitHub) | a46c1f051bcaa146c4a9adddc286b70714cb1365fe10a19aa2dcc7fd1aaaaf0f | 0 | 0 |
| Sudo Privilege Escalation CVE-2019-14287 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 01dc28806687bbabc12e4c23cb8e022a4a81f459e26a267f34656b9e1aedf31e | 0 | 0 |
| Sudo Privilege Escalation CVE-2019-14287 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 284295b46bb8dd089813e305d695c5a0d85a5bde29f85e014d643b3cf63bbeb7 | 0 | 0 |
| Sudo Privilege Escalation CVE-2019-14287 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 37747140310b15c961b277ca418c6bcac1cfbd1a54e54df2a20cf743aa17f317 | 0 | 0 |
| Sudo Privilege Escalation CVE-2019-14287 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 75e40e43cc29db5d459f59bcc8d869264e37cb55976f57b0d731c18039306935 | 0 | 0 |
| Sudo Privilege Escalation CVE-2019-14287 - Builtin | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1ddcb9d1b179a17e011ac90c0294b7768bd99cc9d2a79c0df5506d870771953c | 0 | 0 |
| Suspicious ASPX File Drop by Exchange | Florian Roth (Nextron Systems), MSTI (query, idea) | Sigma Integrated Rule Set (GitHub) | bb948403cd4897a7fa0bd4130c539655d1c16b15598553c6a34568c919031785 | 0 | 0 |
| Suspicious Access to Sensitive File Extensions | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | c31fff6fad64dfd4138d6e166a46e20bf4a25db7117bc20b82965e7ed11982d3 | 0 | 0 |
| Suspicious Access to Sensitive File Extensions - Zeek | Samir Bousseaden, @neu5ron | Sigma Integrated Rule Set (GitHub) | 375d7fe36535214203bd98ae8bf81aecffb58ea5ae11de354f0140e7390327e2 | 0 | 0 |
| Suspicious Access to Sensitive File Extensions - Zeek | SOC Prime Team | SOC Prime Threat Detection Marketplace | 50e6edda507653e781908aed57ac737c10463c8aa7a2b28ec7724a716c0c9073 | 0 | 0 |
| Suspicious Active Directory Database Snapshot Via ADExplorer | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ba06f41f0cdacccc90e44cfd3d87282153f8adf3929671a78d84cc924d544d21 | 0 | 0 |
| Suspicious AdFind Execution | FPT.EagleEye Team, omkar72, oscd.community | Sigma Integrated Rule Set (GitHub) | cb903e3e20e158519f1431d1978e1d50abf68706bbedd496258a99a785f2ec00 | 0 | 0 |
| Suspicious AddinUtil.EXE CommandLine Execution | Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) | Sigma Integrated Rule Set (GitHub) | 8e1481adb39891d6dedeae88dcb07eeaf15bdd7e3a2411e61516ade49fdb1628 | 0 | 0 |
| Suspicious Advpack Call Via Rundll32.EXE | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0b62708afeee4149ceb2b9d28723f6851c429573dd87fbc76b0b636af1727e8d | 0 | 0 |
| Suspicious AgentExecutor PowerShell Execution | Nasreddine Bencherchali (Nextron Systems), memory-shards | Sigma Integrated Rule Set (GitHub) | 30db6ed0e00254321424a7bd150a6b32fe024744b95caf6061d268915c83db15 | 0 | 0 |
| Suspicious AppX Package Installation Attempt | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6b4a6f38adb95b4288c5c7c4c6f3a34360d4cb29c89ff54dab085eb5e18e3b82 | 0 | 0 |
| Suspicious AppX Package Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 55c78abcc295575b4d679261b5d8385d80a02e702af4d0d15071711dbc30ada7 | 0 | 0 |
| Suspicious Appended Extension | frack113 | Sigma Integrated Rule Set (GitHub) | 3b0fe70c5a9b47ff8d77e014a4b885539419686f60c19c48801ec4b9dd125a18 | 0 | 0 |
| Suspicious Application Installed | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5d1ced4a52f1f5a2b91e544db707099bb9c97b4406e604c377a19c9392192e0e | 0 | 0 |
| Suspicious Base64 Encoded User-Agent | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae5033bec68378ff3903219d0a081175cb289d5510c82f33a09a0fa3f99b2c2a | 0 | 0 |
| Suspicious Bitsadmin Job via PowerShell | Endgame, JHasenbusch (ported to sigma for oscd.community) | Sigma Integrated Rule Set (GitHub) | 84a714b787a32a4edd32972c4a71a7d66d4a250549ad6c4b1a3faeb077c0bce6 | 0 | 0 |
| Suspicious Bitstransfer via PowerShell | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | b19ad60b757e0d750b6426b1bf5fc68b705f7acf21dabd6e2a59f369493ff2e8 | 0 | 0 |
| Suspicious Browser Activity | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 9b31bddf669715edd1e978f07fa5c4a8cf9a5ed6e397147cc565b04c0b076db6 | 0 | 0 |
| Suspicious Browser Child Process - MacOS | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 568d8c64405dbe084d6462ee2205872cab0363d87a06ed836afe3a660048a901 | 0 | 0 |
| Suspicious C2 Activities | Marie Euler | Sigma Integrated Rule Set (GitHub) | 7f495f7056b28211483e60f8f0510254ee64903ec5d127b9b822b085833218e9 | 0 | 0 |
| Suspicious Camera and Microphone Access | Den Iuzvyk | Sigma Integrated Rule Set (GitHub) | f73e458cd36aac62c3443939924222027b1344d84127a52bf5623bcc692c86fc | 0 | 0 |
| Suspicious Child Process Created as System | Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) | Sigma Integrated Rule Set (GitHub) | 84856c029af862b4a726da5944e6a57aaed5fda15c317414f9afeb3941c0010d | 0 | 0 |
| Suspicious Child Process Of Manage Engine ServiceDesk | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9eac0a588f2d6d66552a47daa72a61d19949836c752ad630ccd820e1593e7565 | 0 | 0 |
| Suspicious Child Process Of SQL Server | FPT.EagleEye Team, wagga | Sigma Integrated Rule Set (GitHub) | 084aa83f6231ad8f1641d3a19e8fd1cfef9a9cc7c1be4c416fdaf86ff56071fa | 0 | 0 |
| Suspicious Child Process Of Veeam Dabatase | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2dfee20411a27951e5561930e00a23b00d204c747c364defaf050fb9679ad74e | 0 | 0 |
| Suspicious Cmd Execution via WMI | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 8c78d38861194b5331809156fa1e3df49456c4e1d9d52a1705ed9ffbd28295d6 | 0 | 0 |
| Suspicious Cobalt Strike DNS Beaconing - DNS Client | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 16333814c2a5d64593f4c8ea166415d71d1da9a6342322c8bf683d2931872098 | 0 | 0 |
| Suspicious Commands Linux | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3458d203410df750034bc6a6cf707cf905639d4ded28fbafac96941e0a0ec53a | 0 | 0 |
| Suspicious Compression Tool Parameters | Florian Roth, Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 9ffd116f512698b4f9b310ee5526625ddf70dc16d7e3a87e744f709c8b537b2e | 0 | 0 |
| Suspicious Computer Account Name Change CVE-2021-42287 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 367ee44bfca23688ae0b0af0a5b6d5e824e751b28ac7849d1648bafb35b0448f | 0 | 0 |
| Suspicious Computer Machine Password by PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | c5921c926dcae921e9359276449f92b2c6f72168039b08968ce25b5b9b6d2e69 | 0 | 0 |
| Suspicious Control Panel DLL Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0791036b2af8420cef203df27c7840172deaafc554441f24ba507cd69d0d79e3 | 0 | 0 |
| Suspicious Curl File Upload | Florian Roth | Sigma Integrated Rule Set (GitHub) | 63ca787b0e9b439877ff859851c650e60a39c37447b6c96420cafc38d94331db | 0 | 0 |
| Suspicious DLL Loaded via CertOC.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 506c72069a947a783eff1ae29f031edb5f898bbd365dbe9a4b9e20d502a338fb | 0 | 0 |
| Suspicious DNS Query with B64 Encoded String | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7c4c3ea7b520b1ed475e29a999863beeb5301ce2a0cee83a0b246f19f1e0601c | 0 | 0 |
| Suspicious DNS Z Flag Bit Set | @neu5ron, SOC Prime Team, Corelight | Sigma Integrated Rule Set (GitHub) | 9520587a618269e5bf36ca31426edd352f0894b0dd96480e2a48554e5794148a | 0 | 0 |
| Suspicious Desktopimgdownldr Command | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | beb013be28477c7cc6a96b5e49885366af682311b00c0ad036f6df272f0d73bf | 0 | 0 |
| Suspicious Desktopimgdownldr Target File | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b01cb061a8ed4c005cf232ea599f09e2e3fdcc4033c23e74729723958607fce3 | 0 | 0 |
| Suspicious Diantz Alternate Data Stream Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 5888f710b830080c3505ccf3c3631d57eb9bd8be6b13d067fe7926dae9e72dc4 | 0 | 0 |
| Suspicious Diantz Download and Compress Into a CAB File | frack113 | Sigma Integrated Rule Set (GitHub) | b05a48e704cc2fbb722e3b3533e7b741751d8699bff15f6f28571133fe7611da | 0 | 0 |
| Suspicious Digital Signature Of AppX Package | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | db7f6bed5d0dde14215ada7781fd59838f617a3ed31d01856d67278595f9379f | 0 | 0 |
| Suspicious Download from Office Domain | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a93dc62f3906167da8a6825eb9c1d7bd2ce6bfbb4ab3182329221f812e8374ee | 0 | 0 |
| Suspicious Driver/DLL Installation Via Odbcconf.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 65e3d138ed59a381f2121f1d92dd8a80147497df2a2bee2bc63c44f7364c5aab | 0 | 0 |
| Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 68d6bc153d363f0b968563eca5ffe6c76c6d32f22825add51854906ff183796a | 0 | 0 |
| Suspicious Encoded Scripts in a WMI Consumer | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 06b69d9fb47d54903b8bff29c64d3bc3ad88eab8d9196cef1ed669080b206973 | 0 | 0 |
| Suspicious Esentutl Use | Florian Roth | Sigma Integrated Rule Set (GitHub) | 6374ec2e5ca4f1bca3332d137882a6526e7230b5207c4de514d3b0a0a1e94fcb | 0 | 0 |
| Suspicious Execution From Outlook Temporary Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e10440993b0b656a1a8c6d3b8e4bbc81af5b7f7cc7b8373de18dea6d80adae4e | 0 | 0 |
| Suspicious Execution Of PDQDeployRunner | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7eef5c9bd546630ea12c91d57be092b4b9c9c7bb400252d422d80fef08097b68 | 0 | 0 |
| Suspicious Execution Of Renamed Sysinternals Tools - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ed6b9d37bd18283aa0d9e4ac90aef6a16c846a026c995947ad3915d552813bb | 0 | 0 |
| Suspicious Execution via macOS Script Editor | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | f0e34536a6290168b216e957004a27eee324dcd551ef6097f4c5e2a515716720 | 0 | 0 |
| Suspicious File Created Via OneNote Application | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7dda8606bb329894f043ccf94ac62751c19f87d742ee8e00c88e01c57396e685 | 0 | 0 |
| Suspicious File Download From IP Via Wget.EXE - Paths | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dc442ba4eb2bab0b5a2f42888b64899ee8df157a9421844d7357df76d6fe92e6 | 0 | 0 |
| Suspicious File Drop by Exchange | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8c8367f9dfc37168dc6405916b58e6caff596c82302bc0f975ab1a15bea01c96 | 0 | 0 |
| Suspicious File Execution From Internet Hosted WebDav Share | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9d307b7c423134f5ddcbc65c0c787b0ca177d16056abb95987cbefda5e9da1ed | 0 | 0 |
| Suspicious Files in Default GPO Folder | elhoim | Sigma Integrated Rule Set (GitHub) | 9d0460b05a7d5059e94192f430c619de34ed01b40a776ef07c0f4ca8e7c63c6d | 0 | 0 |
| Suspicious Get-ADDBAccount Usage | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ff976c058f98951f888acebc22c718cfa0989294f531a1dee5660a0c1c06f0f3 | 0 | 0 |
| Suspicious Git Clone | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fdc5241371963b85bfc8bc1454a8f964643600a35323a9a168c52bc0946b6b50 | 0 | 0 |
| Suspicious HWP Sub Processes | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 609a26363ca1233fc9637c9ef8d9c18feb2dc0dcf6b98ccb949a1913e739c3dc | 0 | 0 |
| Suspicious High IntegrityLevel Conhost Legacy Option | frack113 | Sigma Integrated Rule Set (GitHub) | 1c0964b913350c2d2ed7914e864e3859a758fa1ad84f1d29bce1638f60ee6073 | 0 | 0 |
| Suspicious History File Operations - Linux | Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 946d8ac00870587827118a553b9209dbf76acb7e909425d91f177bde98fc1401 | 0 | 0 |
| Suspicious IIS Module Registration | Florian Roth (Nextron Systems), Microsoft (idea) | Sigma Integrated Rule Set (GitHub) | 97ed6692fb3bad1771a95890c0a60a75f26be235da6ecc615103c8c33c1aa15f | 0 | 0 |
| Suspicious IIS URL GlobalRules Rewrite Via AppCmd | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4a406b126347953cfe315d80f4267d30c93678ba59268330212e6a37000467c8 | 0 | 0 |
| Suspicious In-Memory Module Execution | Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 4e3a7d5df089d2d7c80cf84bbba4e8a4363101ac03f6a9c758101f0c1bb010a4 | 0 | 0 |
| Suspicious Inbox Forwarding | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 487fc5687e250bef85f8102efa69086f801e489db41cb0f01c4bf4b1ed4827f3 | 0 | 0 |
| Suspicious Inbox Forwarding Identity Protection | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 30a57d6df72040349e0b9303a098e739e49dc892557557d2e0d19fa4ec70e21d | 0 | 0 |
| Suspicious Inbox Manipulation Rules | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 0744feb248d2d5a5ce8ae7169c1aa48667c8b870c41b6e34f5743a5c35fa8433 | 0 | 0 |
| Suspicious Installer Package Child Process | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | ac632f049b50fccac2801c1fb8b5a27b1f771e75fa4dfe7614037e08985cb23d | 0 | 0 |
| Suspicious Invoke-Item From Mount-DiskImage | frack113 | Sigma Integrated Rule Set (GitHub) | b39494f0c815f838357a670dc6b43d13f4a3ab92f2ce9cac04909e1b3e2fcade | 0 | 0 |
| Suspicious Java Children Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 672d1dbc057ebe6a59b879830826dcffb12c0c7f1a97d0c00e18412e7746429f | 0 | 0 |
| Suspicious Kerberos RC4 Ticket Encryption | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f2bb7e386b3f3d057b64c70d36264a2c7163a1215e88b8731f9b87d919ca77d | 0 | 0 |
| Suspicious Kernel Dump Using Dtrace | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f1a72edd07dd4c90ef3c56a4aaab9034ebe25d9a2b5d3e9de4deb8877f60ea24 | 0 | 0 |
| Suspicious LDAP-Attributes Used | xknow @xknow_infosec | Sigma Integrated Rule Set (GitHub) | 0730743577ad7cca001768987a40afda61d7838e179b9c8f1053e72a1459048a | 0 | 0 |
| Suspicious LOLBIN AccCheckConsole | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bdd4b3cf901dc4fd7c4ee12323f20fd996bc0170c122f0566f5dbfbede875c23 | 0 | 0 |
| Suspicious LSASS Access Via MalSecLogon | Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 40c242ef2d6a78e1d98f62f539492057d9594d269a98bfe8b9d78c88a5985ba2 | 0 | 0 |
| Suspicious Load of Advapi31.dll | frack113 | Sigma Integrated Rule Set (GitHub) | fdde9ab8116dee77741eec010f384a7df489d11062e8ef7d46dce09ec51717b1 | 0 | 0 |
| Suspicious Log Entries | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3b172a1d01b7c198d455c2a17e8ae127ce5f5dba1c75a0a99cc77599f4ca78f7 | 0 | 0 |
| Suspicious MSExchangeMailboxReplication ASPX Write | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fa002b31be3f4e611034c69df7ee949cffa22117828400d70e69089801abc14c | 0 | 0 |
| Suspicious Microsoft Office Child Process - MacOS | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 165e967934d0cec0e63b5cf8a289ee318662e0a8b8c576f6ec2f2dc27eafc226 | 0 | 0 |
| Suspicious Multiple File Rename Or Delete Occurred | Vasiliy Burov, oscd.community | Sigma Integrated Rule Set (GitHub) | 5cbe938f157b387106147682e156a8efa2d8aeb5efce0266d3c0081b69e12678 | 0 | 0 |
| Suspicious NTLM Authentication on the Printer Spooler Service | Elastic (idea), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2c55f9d9f3f4dc25ec6908c17d18aa64d4262941cc6851d20150f4136be5453a | 0 | 0 |
| Suspicious Named Error | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b8b5a8000383b99cb6f14f2e8f17d927da0e92e965c625faa3cabe1e72b84323 | 0 | 0 |
| Suspicious Network Communication With IPFS | Gavin Knapp | Sigma Integrated Rule Set (GitHub) | 25602b7956b8b2129bbf5893bbfe5b6b6bc948e9d225b47b5d43055f48248b00 | 0 | 0 |
| Suspicious Network Connection Binary No CommandLine | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 67ad04a82289f88e52e0bdb0655cbfe3c303b18ef877639dec59f3c485cfac92 | 0 | 0 |
| Suspicious OAuth App File Download Activities | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | fa3f7119a0c19e9ddb6bf3defe5e0797888e23ec789c8f3357af53a5f70c3c94 | 0 | 0 |
| Suspicious OpenSSH Daemon Error | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e0a89459a9f05d408d482b9640980fec9bab82d2dd11083d04356a4055021f78 | 0 | 0 |
| Suspicious Path In Keyboard Layout IME File Registry Value | X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ddd88c5a8c5b057d7b598e894795cec07bb567c64355e88c93ebca56da327f06 | 0 | 0 |
| Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ab9342dac5b3f049e5fea481d289344bd53a9f9404b8a7c4421870e296c426d7 | 0 | 0 |
| Suspicious PowerShell Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | 2db1db0eb3649cc130ae953a4803853a8ff8e44f3c4a06d42ed49eb3cabfb696 | 0 | 0 |
| Suspicious PowerShell Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9d6bbc732c370aae45fda2c0c962d9136afa87ecd165064208cb40aa877e4e5b | 0 | 0 |
| Suspicious PowerShell Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9e7977461c567e8bfbcdd316661d9ef710694b3de751c6ad76cf0dae3749c57b | 0 | 0 |
| Suspicious PowerShell Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | ddc4948cb3433762084af70db4c7d85a2cd1e48ee6ae8dc152412a50dfbb42db | 0 | 0 |
| Suspicious PowerShell Invocations - Generic | Florian Roth (rule) | Sigma Integrated Rule Set (GitHub) | 20f6c9f89613e81c3c83ed81ee4dd3f5793d5910ebc8fbc5330174a7a74ecb54 | 0 | 0 |
| Suspicious PowerShell Invocations - Specific | Florian Roth (rule), Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 5d6d29828f1f8db072b666bd85ae7074ac349c49205087a92da4084700e50657 | 0 | 0 |
| Suspicious PowerShell Mailbox Export to Share | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bdf323dec5fa58a6655db6a0ae8ed9322f1fae8288502705c60e0b1f38761a06 | 0 | 0 |
| Suspicious PowerShell Mailbox Export to Share - PS | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0861753c840036f498e3bd4029c5edd57ad0622e1bc413cf2d38df4ea3fb34bf | 0 | 0 |
| Suspicious PrinterPorts Creation (CVE-2020-1048) | EagleEye Team, Florian Roth | Sigma Integrated Rule Set (GitHub) | 9f4d9015afcdadf3e8a90bd3b8b01cae40397eca61dc45580339296224e1b40f | 0 | 0 |
| Suspicious Process Creation | Florian Roth, Daniil Yugoslavskiy, oscd.community (update) | Sigma Integrated Rule Set (GitHub) | b902e441638f8747df97dc2c59508d1d39ca9ab179b28132c51cee02b1d19152 | 0 | 0 |
| Suspicious Process Start Without DLL | Florian Roth | Sigma Integrated Rule Set (GitHub) | d473f1a87cdfa8e30ccefdd183b775109bfb012796c04ab06be794c4b74ba1eb | 0 | 0 |
| Suspicious Provlaunch.EXE Child Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f866c0bee7cfae223e6c32f2033891c7f0c284e03b66f23b4fabd91f76e9e151 | 0 | 0 |
| Suspicious PsExec Execution | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | f04c595ca66281cfe11a9157fbeef36ddbee45cc4a5391471d010a08e4c14863 | 0 | 0 |
| Suspicious PsExec Execution - Zeek | SOC Prime Team | SOC Prime Threat Detection Marketplace | 5c9d17e0b9843d06a6bdc67aa64f2d0c4823a01681a54c83d94c7e3c0bbe2c66 | 0 | 0 |
| Suspicious PsExec Execution - Zeek | Samir Bousseaden, @neu5ron, Tim Shelton | Sigma Integrated Rule Set (GitHub) | eee9047f1507bcd02b641cb229c21f615af4fb70ba87dbff05842699503530b4 | 0 | 0 |
| Suspicious RDP Redirect Using TSCON | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2d1baec06e45f7d7bbd540486a817a6738253b8960068c5aee89c3123cfa1ac0 | 0 | 0 |
| Suspicious RazerInstaller Explorer Subprocess | Florian Roth (Nextron Systems), Maxime Thiebaut | Sigma Integrated Rule Set (GitHub) | b656a8d4ce3cfd0545afa9a8754e22d2d051bd71f469b2d3d844ecf580dd0532 | 0 | 0 |
| Suspicious Redirection to Local Admin Share | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a1efd51dbf79212db85a2c4038309389dd1fc357ab4ca2be2b60e1f5de85beff | 0 | 0 |
| Suspicious Rejected SMB Guest Logon From IP | Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w | Sigma Integrated Rule Set (GitHub) | f1f470f63c4d9b600bbc209212d3f1806b7b41154d14a15f0666241f96f786b1 | 0 | 0 |
| Suspicious Remote AppX Package Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 24496f972dab986c0b02095b9ab70f146ab35093bb1e1a1b5e6f53fa4fe709e9 | 0 | 0 |
| Suspicious Remote Child Process From Outlook | Markus Neis, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f9e5ca1d53357c6179a23ffe1ed388ebe305e69c24b43fd23804a567a490780a | 0 | 0 |
| Suspicious Renamed Comsvcs DLL Loaded By Rundll32 | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bb742ff85b3c9a1b3dd1e6ca80f61086fe051299c7849fa28d012a7248e9e520 | 0 | 0 |
| Suspicious RunAs-Like Flag Combination | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 90c1cc21debdada5d0fcc2afbc166820029a07eb4adad2d3d7b5b09d5dbc707c | 0 | 0 |
| Suspicious Runscripthelper.exe | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | 11391eae2fbdc6dde630d27416798a88f2a185e1dc68c55e40fe03a2a85412de | 0 | 0 |
| Suspicious SQL Error Messages | Bjoern Kimminich | Sigma Integrated Rule Set (GitHub) | 25642d4ac27c9f3036a7124392a66d0dad8e15e7f323995c82b1b9460ae3ffb5 | 0 | 0 |
| Suspicious SQL Query | @juju4 | Sigma Integrated Rule Set (GitHub) | 2a7aa4e41231e1b0524f3cd4bc3ea12bf92ecdfbb3ed80a6c4dc0c8ef42d373c | 0 | 0 |
| Suspicious Scheduled Task Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bffcbf199caf6618ec0632e009bb69353f15a11388b2c130984c2be005d800f1 | 0 | 0 |
| Suspicious Scheduled Task Update | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a0948d42b228f12aeaca91583a65ad12cd9578f9490a86b19194440cac3994ff | 0 | 0 |
| Suspicious Serv-U Process Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7456e5b742cfbd4f35bce2536feed29bf8c22343e4f695fdd04fbf7070d41396 | 0 | 0 |
| Suspicious Service DACL Modification Via Set-Service Cmdlet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dc53bfcc618f20855734b363a199a1bb7088e9b6366330f2d73c89f4830e295f | 0 | 0 |
| Suspicious Service DACL Modification Via Set-Service Cmdlet - PS | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fa87227c8ef55f355d187b7f0d44d69fecf0d7ee575cc3730fe757a38cec54dd | 0 | 0 |
| Suspicious Service Installation | pH-T (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 94a10fb40e2dcc9f743a6b7910ac8e6f494deea16b643f51403bab5086be6a7a | 0 | 0 |
| Suspicious Service Installation Script | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a807d64a3f9a1aee435e9d3d51d46250e3ffea7c190dea627dac4051f51696cf | 0 | 0 |
| Suspicious Shim Database Patching Activity | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 61ec0cc91754f7ca419e31b04481c92897b180e449f0c0a4ac571523ab898206 | 0 | 0 |
| Suspicious SignIns From A Non Registered Device | Harjot Singh, '@cyb3rjy0t' | Sigma Integrated Rule Set (GitHub) | 47ca70cb2ec9b97ad474f95c84a9b656c09956b847a325c011cf20ad5474e28e | 0 | 0 |
| Suspicious Svchost Process Access | Tim Burrell | Sigma Integrated Rule Set (GitHub) | 9fc70bf733b29bcd18e12529f975e24abdf01e3660221d791f76d57e02e2d527 | 0 | 0 |
| Suspicious SysAidServer Child | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fa328d9830be6a424db03c3b9931c2bf4feebcf032f7c702ca62053448095f80 | 0 | 0 |
| Suspicious Teams Application Related ObjectAcess Event | @SerkinValery | Sigma Integrated Rule Set (GitHub) | 4a0e44811d11e6f266ca4f87c93ec8a3d5520eae505dc05694f5b9473af509bc | 0 | 0 |
| Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2edd9587fec3afbdba27c193e057a7b5b378162e4ddd1ad9b808602f5e20e70f | 0 | 0 |
| Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 | Cybex | Sigma Integrated Rule Set (GitHub) | 9937b6e6ae332de5e4a7d70d91b2c54d616c6c5a3491974b668d117ae637604e | 0 | 0 |
| Suspicious Use of CSharp Interactive Console | Michael R. (@nahamike01) | Sigma Integrated Rule Set (GitHub) | a4fc89bb3700fe0a55cf04c68919916827d349edffbb82042fcceed68a55944d | 0 | 0 |
| Suspicious User Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d91df9da12337a7f5ee75bb073c3410a058eb5ed6b7c86b148e725f9059f75a0 | 0 | 0 |
| Suspicious User-Agents Related To Recon Tools | Nasreddine Bencherchali (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | a24e7b53f51338e062a4c0ad76154753129052ee12ebfb5fd0bf818d11ee8c25 | 0 | 0 |
| Suspicious VBScript UN2452 Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7fb1daa4a8edb7a5b90b062c058870ef63fc97c3ef0e3208a4ebe707c2f77f8f | 0 | 0 |
| Suspicious VBoxDrvInst.exe Parameters | Konstantin Grishchenko, oscd.community | Sigma Integrated Rule Set (GitHub) | 7f57d3ad9551dc7e9826a09268d6311674527871cd948f123fe51b8ad1b701aa | 0 | 0 |
| Suspicious VSFTPD Error Messages | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bbc1da4633ad6413fded73095affb9717c6e165f62cd9aad1ecfef998aa8db78 | 0 | 0 |
| Suspicious Vsls-Agent Command With AgentExtensionPath Load | bohops | Sigma Integrated Rule Set (GitHub) | 9f01dd8d09135ee4372c7cf259bdd238ef5beaff8d03b7a0aa8ef0d5fc0b659d | 0 | 0 |
| Suspicious Werfault.exe Network Connection Outbound | Sreeman | Sigma Integrated Rule Set (GitHub) | 16c36a9e42bc4413ac1329f5dd42431a817722b75cea05ac07ebb3f65876cb0f | 0 | 0 |
| Suspicious Windows ANONYMOUS LOGON Local Account Created | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 95f1c4af26ab73ade968853c4fcf97de23d5c6004b49db4a07a2616054591b05 | 0 | 0 |
| Suspicious Windows Strings In URI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cbdc0f6b8b52d66a08ba1df24758e02d8bcc7a727be78396c3c5e2a3c15820b4 | 0 | 0 |
| Suspicious Word Cab File Write CVE-2021-40444 | Florian Roth (Nextron Systems), Sittikorn S | Sigma Integrated Rule Set (GitHub) | 81b716bb22121eaedb941850fff6c213e7492ff4ee7564ae54606bc9dbb4fa57 | 0 | 0 |
| Suspicious X509Enrollment - Process Creation | frack113 | Sigma Integrated Rule Set (GitHub) | e37fe19aa7211312d16f86a97be31d1e7f036a49ca501a83feb84f3ba4d27ff9 | 0 | 0 |
| Svchost DLL Search Order Hijack | SBousseaden | Sigma Integrated Rule Set (GitHub) | db5441b38e2fcbf39fea3bb39c740232381bd1357c8ff96f6df1ce0020169259 | 0 | 0 |
| SyncAppvPublishingServer Bypass Powershell Restriction - PS Module | Ensar Şamil, @sblmsrsn, OSCD Community | Sigma Integrated Rule Set (GitHub) | da7ba86aeba5af6786083f79201143e96dfb9aaa6f81136cb9deeffbda13a236 | 0 | 0 |
| SyncAppvPublishingServer Execute Arbitrary PowerShell Code | frack113 | Sigma Integrated Rule Set (GitHub) | bd38197f39431ccbcd7225eae0595eed4788e30dee52b6db845bb259cc8a5490 | 0 | 0 |
| SyncAppvPublishingServer Execution to Bypass Powershell Restriction | Ensar Şamil, @sblmsrsn, OSCD Community | Sigma Integrated Rule Set (GitHub) | 15b8bc2b4085ebae022c2b20c71b4ff925bb2def0f422752e477ef64090acbb5 | 0 | 0 |
| SyncAppvPublishingServer Execution to Bypass Powershell Restriction | Ensar Şamil, @sblmsrsn, OSCD Community | Sigma Integrated Rule Set (GitHub) | 2f6c3876a6bf6c6982f41c7a31019b9025028a80428d75d0fbfadc485780f478 | 0 | 0 |
| SyncAppvPublishingServer Execution to Bypass Powershell Restriction | Ensar Şamil, @sblmsrsn, OSCD Community | Sigma Integrated Rule Set (GitHub) | 3bc75ee6104b1d450b245ac94167ae14c204c835e99ff14f840649b7ec5cb561 | 0 | 0 |
| SyncAppvPublishingServer Execution to Bypass Powershell Restriction | Ensar Şamil, @sblmsrsn, OSCD Community | Sigma Integrated Rule Set (GitHub) | 72c39d73d55d9033eaf48b2345a2731c21be042d5b6a492dd732ad728d06da24 | 0 | 0 |
| SyncAppvPublishingServer Execution to Bypass Powershell Restriction | Ensar Şamil, @sblmsrsn, OSCD Community | Sigma Integrated Rule Set (GitHub) | a8c3610f0218840679ca4d558856dbb0f5d711cabe7b939a9f283180553e2b77 | 0 | 0 |
| SysKey Registry Keys Access | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 00368348746af494ae4871162a2c3187af955e35e20fc2de34bda349b1883860 | 0 | 0 |
| Sysinternals PsSuspend Suspicious Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 56654aed7c40de6b38d02ae11978a98d76f2045e2b715925563b9a79d8db0adb | 0 | 0 |
| Sysinternals SDelete Registry Keys | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | d5a8c01fb27702ba8f9e0abb5ca03c7c11b6bbf635c3e08354c5106eb06c1c85 | 0 | 0 |
| Sysinternals Tools AppX Versions Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e0c6dedbb0a3c9244c69da7aa0922b6c42fca7f8bef15f5e7e53692ce56655c2 | 0 | 0 |
| Sysmon Application Crashed | Tim Shelton | Sigma Integrated Rule Set (GitHub) | d6da4eb76c586437f5fff020dc4168d1abb0945c1365d46be05d23164d9276b3 | 0 | 0 |
| Sysmon Blocked Executable | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1465e125dc6604c53527ef6c23b3e6c4380b78e46d327aaaadf658458d08abf6 | 0 | 0 |
| Sysmon Blocked File Shredding | frack113 | Sigma Integrated Rule Set (GitHub) | 27f8ed179d16f640500bf0f00550e2f05fb62070a448a885fcd89d5453b7082c | 0 | 0 |
| Sysmon Channel Reference Deletion | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | f9f553ae3b418546ce1d60bc5be320fb809f42d2184eea0be3ebe38529115176 | 0 | 0 |
| Sysmon Configuration Modification | frack113 | Sigma Integrated Rule Set (GitHub) | 3bb0c88834d7140b8c654b55212f61356f2c8817acf24f1a8691d358280b0541 | 0 | 0 |
| Sysmon Configuration Modification | frack113 | Sigma Integrated Rule Set (GitHub) | d46e95fee1af14f21e84edea54e4ff0adc9b091c82e403fd89cc53d93506d609 | 0 | 0 |
| Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | d58a7bc786bd9e9a6ecc6de92ba386f2e8ff1b3b96a65d1cdaa66db5cd0b94d1 | 0 | 0 |
| Sysmon Driver Altitude Change | B.Talebi | Sigma Integrated Rule Set (GitHub) | 4bcaa5dacb5e1eb968ca726b5580829575896d88af4c640f430427376c3fffe8 | 0 | 0 |
| System Drawing DLL Load | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 0e577377d486c7998da21b8bf8adfad459d2ee2c932fddd9aa595b43b009916c | 0 | 0 |
| System Information Discovery | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | 0e346973181b79cd813d4507ff8c38d8a584a417939557faa5fa7158cf2ba7d0 | 0 | 0 |
| System Information Discovery | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | 3745b67648a34091bd1ecf4cfeeaba7bc12bfe1ffc83c8aea519f5888c1714ef | 0 | 0 |
| System Information Discovery | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | 9920fd14e241024bdb1ef7da4f1d69e5ac14e3d81aa324f2395de1464b61d679 | 0 | 0 |
| System Information Discovery | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | de46e7313e69231a749082946337322d32ab9e628663e5d92b61586d9c24d47f | 0 | 0 |
| System Information Discovery - Auditd | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | fb1fcb86cdb589a2d0fc7810aa7796360737fe3205f5d847d75ecf94876c080f | 0 | 0 |
| System Integrity Protection (SIP) Disabled | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 42a9bc03d7633687377855c6d2b55e058f9f52c0a837dfe263e92b7563642df5 | 0 | 0 |
| System Network Connections Discovery - MacOs | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 036282b9889ec8d8a1cdaf902e26133c4af06ef02c074d48c4e063674b97b784 | 0 | 0 |
| System Network Discovery - Linux | Ömer Günal and remotephone, oscd.community | Sigma Integrated Rule Set (GitHub) | 780133161bc77c6fd8e998a40218c5d992ba90b4ee08ea1e489f112b4f5739e6 | 0 | 0 |
| System Network Discovery - macOS | remotephone, oscd.community | Sigma Integrated Rule Set (GitHub) | 90acea841b97b3b53a1119f22723d62839805d36487dbabf612a9b724c86798b | 0 | 0 |
| System Owner or User Discovery | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | db8f6a3c12b8841963a472baa0be9f352507e250365446a6638700e5e7035e32 | 0 | 0 |
| System Shutdown/Reboot - Linux | Igor Fits, oscd.community | Sigma Integrated Rule Set (GitHub) | a915654969a7479839f83e157606f0d49d87567ec32f31c4b16352afecd90f27 | 0 | 0 |
| System Shutdown/Reboot - MacOs | Igor Fits, Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 96710ba7369fb8bd38beca2361ac7b7447c02e93a21426970ee43af5e1e039dc | 0 | 0 |
| System and Hardware Information Discovery | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | fa3e44c9641ee88a3df1944a742869e28a10d6f37c0aab69e06413014fd5c890 | 0 | 0 |
| Systemd Service Creation | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | c98ca23ae236514eac31459384aea73b66542cfac7574615d51735ecffc1cf8c | 0 | 0 |
| Systemd Service Reload or Start | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | 2b9f58e2da3f441d888d64d4aca75b8c4f27198a10b76961e1a593881f018af3 | 0 | 0 |
| T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack | Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga | Sigma Integrated Rule Set (GitHub) | 9140e60563fcdfeb01d8d885f102c4b30ed9435ca18d2a4d8df9db6020ba2d0a | 0 | 0 |
| T1047 Wmiprvse Wbemcomn DLL Hijack | Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) | Sigma Integrated Rule Set (GitHub) | 1ed7550018ff4afc8c6f1d36eb7b0bbb2f831f5ac43cb0a16bbb96205616d858 | 0 | 0 |
| TA410 LookBack and FlowCloud malware campaigns (Sysmon Behavior) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 2d3ca95295f2fe12c6cbd5a13bb6f9b54f0f22d3a81dbc5b82c9bfbdae44f83b | 0 | 0 |
| TA505 Dropper Load Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | e6b2d2b9d4348a8c3ab985832a818688f8ed2f19e9f03c58867656810da91ae4 | 0 | 0 |
| TAIDOOR - Chinese RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 680dcdde1b8bfe90bf9acba2d0f5e4c1c8b437fe2e5aa5068855ccda40180966 | 0 | 0 |
| TAIDOOR - Chinese RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 68bb411fd4bf6a1ffe552b343dac5d14f00ce686424e3b32e68ee2176ab8bce3 | 0 | 0 |
| TAIDOOR - Chinese RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 97b2c02dfa95bb4aaaff73fc548ad854d0cdd79e40c67de409e716ba04f8b372 | 0 | 0 |
| TAIDOOR - Chinese RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | fd151743b69be65652e958a898253090e87a94daf21f008ffacbfef9d8aebcbf | 0 | 0 |
| TAIDOOR RAT DLL Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e8a94b22f6db7e94eaf7903de94492f4bdd5b91eaa24377a94e7e51bfdb8e562 | 0 | 0 |
| TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | fefa666b9dddab06dca15eb5c3a044757bbf7420794f459140fae014af5988af | 0 | 0 |
| TacticalRMM Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7c58e61c36389fb1f7d55de04f9df5f177ce2ba401acccf1c20e0e0d1fb38e42 | 0 | 0 |
| Tamper Windows Defender - PSClassic | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 207c25c9408a94a6ab4fd79571c6f71741248f188bf163b2ca9ea8531bdf439e | 0 | 0 |
| Tamper Windows Defender Remove-MpPreference | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 15eece1ac1e6388267d739cc6d58ebc136e63e103f833c3e270a3c1cc9836ccb | 0 | 0 |
| Tap Driver Installation | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | 20135d843bc80e241d98b14cfdd38a8e122b0a032b2edd8e2dc631c53b5632ca | 0 | 0 |
| Tap Driver Installation | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | 358d68998add69c3d9057a82193ae58f278aa61103f23b98603b6f2d7e59cb22 | 0 | 0 |
| Tap Driver Installation | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | a23d7badd6ad7bc64986003d146002a8cd02c1adab85136c45c522d5ab23e706 | 0 | 0 |
| Tap Driver Installation | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | c1693fcd30d2082a9f64e5a158f8acfbdb23a2e5ef0cb5c125a34a46c29a60d1 | 0 | 0 |
| Tap Driver Installation | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | f64fba8ff6db3ee854baecf3e208e1be45b8dd29c23b509f62062e55ebe28bb9 | 0 | 0 |
| Tap Driver Installation - Security | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | e60d92b6ad7c18d80d842937fb0a3b1e49a9339611f31cf7f9fa688f0d1fc1fa | 0 | 0 |
| TeamViewer Log File Deleted | frack113 | Sigma Integrated Rule Set (GitHub) | 4d5c0f83a4373919c5837ae554218d0f9f5a99734abf344ba8aa116d3f489bc2 | 0 | 0 |
| Telegram API Access | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8a8587aaa3d307de3f020fd9ddb543581dd561447576a463e570558a6e78a023 | 0 | 0 |
| Temporary Access Pass Added To An Account | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | d6733a3836dcabc53efcf939702d6cf9d5746b605d08ce482e10ac6fe3d6aced | 0 | 0 |
| Terdot Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 758c4cbf66a128098c5bfb6abc15633535d24cb73c1c583c8b2e6453a93c6f80 | 0 | 0 |
| Terdot Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a05609887fbb50f52f95231dae41088de78c48b2f3559cbe4761af7069777c41 | 0 | 0 |
| Terdot Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a2ea1f893fa8bd005f73e676e141c7eae499af9763fd62fa393223d6fe14326f | 0 | 0 |
| Terminal Server Client Connection History Cleared - Registry | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f864355e26341358045facaf6f66106b0bf475ff0cd2a56ea6c2157735727c35 | 0 | 0 |
| Terminal Service Process Spawn | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0232a28f98329276f53deac4ffd7ee149f868c8def851948c4af8e750be1b910 | 0 | 0 |
| TerraMaster TOS CVE-2020-28188 | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 69295716b447993c5584f18e294250daf69aa8bc979708f88313e47ca01e6793 | 0 | 0 |
| The Windows Defender Firewall Service Failed To Load Group Policy | frack113 | Sigma Integrated Rule Set (GitHub) | 78c22cecdf2e9d4133343a231de9f0ba4be34d2e25ebe1904297c15796a21929 | 0 | 0 |
| Time Travel Debugging Utility Usage | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | 41bae2ae89409b6a1ff355df6e25112c56884876b18f7a5ca827d634fc1847f4 | 0 | 0 |
| Time Travel Debugging Utility Usage | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | ac619a6a73b5c0668aeb218c1580100bf9e6f7791822b92360cb51fb09394ccd | 0 | 0 |
| Time Travel Debugging Utility Usage | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | c5cd42b219e3389810b80d30f0df29501f964191e806ce3ad063b9cf5c621fb4 | 0 | 0 |
| Tinba Banking Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | af02ff0def6aec347fa7d49ff18febb8c477a257f2e7dc8ca67d0cdbe9dddb0a | 0 | 0 |
| Tirbot Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 985b4d1a9a38675b5a512221d45a61dfdf349da41c92df19ae3776b712fe20e0 | 0 | 0 |
| Tomcat WebServer Logs Deleted | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6b492c838f7475476622510916ddd410c03f7533bee9c8754fc3d58876763f4b | 0 | 0 |
| Too Many Global Admins | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 8c281570aa4889433c1dba5a061d2b726e9a7cc1cd7a755920492caa3445142d | 0 | 0 |
| Transferring Files with Credential Data via Network Shares | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | b901cdb66cb3627f3cf9d508421eb3e34409337ecfea0476c0896c63c71dbd74 | 0 | 0 |
| Transferring Files with Credential Data via Network Shares - Zeek | @neu5ron, Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | c32a3e7518848a21d37b9b5d6a00e756e5ce36f0ba6f2b79a1304a7fa9f1369d | 0 | 0 |
| Trickbot Malware Recon Activity | David Burkett, Florian Roth | Sigma Integrated Rule Set (GitHub) | 7cf68fc17a7548176432b7778814a6be12c78c6b34b7a55b4b5d457302f2c07a | 0 | 0 |
| Triple Cross eBPF Rootkit Default LockFile | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 667bf30fabdb96e0478fb27252c4518b8fb42113dfd0199bb412bd5ded033ab7 | 0 | 0 |
| Triple Cross eBPF Rootkit Default Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 991266c345f7903602d083e0230f82b591211a09e8cad64809a9c3a8131c61f3 | 0 | 0 |
| Triple Cross eBPF Rootkit Execve Hijack | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 23fe8de813dfa4aa4cf175107cc3a9de090fd8f04b8bdbf910d6f091d5a431ce | 0 | 0 |
| Triple Cross eBPF Rootkit Install Commands | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fe1e5e93f3a2393f66f3e0e1e356624a6bd384c3af2b4e867d9687218febb660 | 0 | 0 |
| TropicTrooper Campaign November 2018 | @41thexplorer, Microsoft Defender ATP | Sigma Integrated Rule Set (GitHub) | 2490e3004ac94fbdd6f3d694aa2c24ec00b0193bcac04aad389d62a43350ce61 | 0 | 0 |
| Troubleshooting Pack Cmdlet Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0bebecc11486eecfc3a6380a6ab35579f5d0110c8afd83429be88564f7b10ba4 | 0 | 0 |
| Turla Group Commands May 2020 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 13b646717610af0f26e60da5f245b187d697983865f41f8426677226a1dd67e9 | 0 | 0 |
| Turla Group Lateral Movement | Markus Neis | Sigma Integrated Rule Set (GitHub) | 4ac69336261d41d0d7c5dabb3bbf3be9deae948f76c2139e4061f519c6fb043f | 0 | 0 |
| Turla Group Lateral Movement | Markus Neis | Sigma Integrated Rule Set (GitHub) | 4ad16e7f0f86e364c4e7a74f240c76737de2845d3ff13e38a2c4437cfea2af8b | 0 | 0 |
| Turla Group Lateral Movement | Markus Neis | Sigma Integrated Rule Set (GitHub) | a84f3c195555e22fcc4045469fd306dbb60cf28e91ae7b9325eb49aeda608af7 | 0 | 0 |
| Turla Group Lateral Movement | Markus Neis | Sigma Integrated Rule Set (GitHub) | baa2e26b5f61d81ea9128226f369bdc536ba0a183e703eaafc23228dffbd64bc | 0 | 0 |
| Turla Group Lateral Movement | Markus Neis | Sigma Integrated Rule Set (GitHub) | dca19d018ba977a72de3571dc1f68228d2444d8b447b50e25b07422b5b014d9c | 0 | 0 |
| Turla Group Named Pipes | Markus Neis | Sigma Integrated Rule Set (GitHub) | 5c1a908c4195fe1b85776a2a1c86cef843d6c40a00070ca9c5ab3043dc19a164 | 0 | 0 |
| Turla PNG Dropper Service | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2181500508cba32078d248a61c926bf73a4bb6ebc4bececfd9d4ac607b57151d | 0 | 0 |
| Turla Service Install | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d5d550c1852a70e22df794241027e8fda50a74f9c87728f63752437404f20a8 | 0 | 0 |
| UAC Bypass Abusing Winsat Path Parsing - File | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bb336c05f65b92ba4f8c077675fd297597dc9e6a58d623eb2a05ba80991cf674 | 0 | 0 |
| UAC Bypass Abusing Winsat Path Parsing - Process | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3336002627a5fff9960ca0a12f53f9173bf13d359096c010f818ad83f0bd3d60 | 0 | 0 |
| UAC Bypass Abusing Winsat Path Parsing - Registry | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 27a9b69a6e2addb8fe0735e96f0d27ace4b79d17eefd764ce3f0288f74cb21c1 | 0 | 0 |
| UAC Bypass Using .NET Code Profiler on MMC | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e72fb1b5f98a1609a868416ee85fb716eb8e4705f84b33fd471cf747357dea7c | 0 | 0 |
| UAC Bypass Using Consent and Comctl32 - File | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0bc48db9b102772d4daac62f85032a7501fed1102a95f95e8414a0dd3e51732c | 0 | 0 |
| UAC Bypass Using Disk Cleanup | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 639d8d816b374bf0b59c239c80f872bc5c00756e4888cc7934f8a33386306d57 | 0 | 0 |
| UAC Bypass Using DismHost | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 84ae6514a422f3ac64733fe09e8c77e483ddc11d6eec7b8b1f5bf41dade82970 | 0 | 0 |
| UAC Bypass Using Event Viewer RecentViews | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ad7648de4bdd4a9308e13e8fd3d5b06683f34acaaf1c19bdc02e51da6a78a2b | 0 | 0 |
| UAC Bypass Using EventVwr | Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8b0b79836bed93fb4599afe6b48c8fe841a6fe946be47e7b9a7897b9d385569c | 0 | 0 |
| UAC Bypass Using IDiagnostic Profile | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2342c5abe846c316971ff297a5031a5b709b6fa1fa950039e2af8ed232147eb7 | 0 | 0 |
| UAC Bypass Using IEInstal - File | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 00df1f50def5c07da9bb57ea8313bde4905aeeff9ebf1b2b923600351791bd23 | 0 | 0 |
| UAC Bypass Using IEInstal - Process | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 36c54ff9b60bfb04067bb4fc3cb55f0efba4285c46c56123f298c17f0ff6aeb1 | 0 | 0 |
| UAC Bypass Using Iscsicpl - ImageLoad | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 52d8603311fc452b325fffcf27b4e2b1cb851c94b1eff796c0f25cf109a5aaac | 0 | 0 |
| UAC Bypass Using MSConfig Token Modification - File | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d94cdf7ebb62637f664d4e56943049dfd2e84e3a534202d08775a957375ee59 | 0 | 0 |
| UAC Bypass Using MSConfig Token Modification - Process | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fed3f4e9a7b7505b5d9cf3fa38366c77ae1afaf2a73f5ec6e4e82353cb87e312 | 0 | 0 |
| UAC Bypass Using NTFS Reparse Point - File | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b61e713566d145c79ce59678aadb8a675e19a1177e0477c9916dae6960d75e1e | 0 | 0 |
| UAC Bypass Using NTFS Reparse Point - Process | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b04ae33635c5e4e7fe2dc9592b339835bcf2233b6e640991cf271389ea49fb2d | 0 | 0 |
| UAC Bypass Using WOW64 Logger DLL Hijack | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 136d5312f0c32e4f8a7ed5923499a1fb0d03c457a9b9ff2e66d2d833900dd856 | 0 | 0 |
| UAC Bypass Using Windows Media Player - File | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dea23a2bff0dfc0ed3530c94cc3fa73835c8ee53d7dc7b6426775799cb4c719e | 0 | 0 |
| UAC Bypass Using Windows Media Player - Process | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ddadf6d9fd6af912e7f512980649fd8c1628beae5483c5f009920946687a91c0 | 0 | 0 |
| UAC Bypass Using Windows Media Player - Registry | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 06a48f1443d5688a49e7b4d5436e507df7fcfeb8780da328f16235c4c06d927f | 0 | 0 |
| UAC Bypass Via Wsreset | oscd.community, Dmitry Uchakin | Sigma Integrated Rule Set (GitHub) | 46af1a978d9d6da64e0730a4b0d6dfeb8cab34fe21a2fdc0d3b8e0a428e12c21 | 0 | 0 |
| UAC Bypass via Event Viewer | Florian Roth | Sigma Integrated Rule Set (GitHub) | 1d6ad51b3643427cc3820debc181e8c8a71afff1bee8642632fd392fde905cf6 | 0 | 0 |
| UAC Bypass via Event Viewer | Florian Roth | Sigma Integrated Rule Set (GitHub) | 3a5e9509b313781bf9324f49cac4a71e1e5e822abacd7f2707c6d32f8920aea1 | 0 | 0 |
| UAC Bypass via Event Viewer | Florian Roth | Sigma Integrated Rule Set (GitHub) | 4134cd9d74207db899c24fb73563c311684932a317e61fe905fdc29a75f69109 | 0 | 0 |
| UEFI Persistence Via Wpbbin - FileCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f0dfed59c7940c5f4bdd864552c6aac4d66f3411265e923638850c0fe778cb68 | 0 | 0 |
| UEFI Persistence Via Wpbbin - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f6f13948084188f429a00590eca0f80bbbe186a8b7b37042a6f6035cef1a1dee | 0 | 0 |
| UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 282370a5b2c99cb2055e32a9c50853be0a162c16914c919ee60730f93e7a1902 | 0 | 0 |
| UNC2452 PowerShell Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f91a07dae0817dd517cae4782092e392760c32e680fb4b40f69789c8ea2642c7 | 0 | 0 |
| UNC4841 - Download Compressed Files From Temp.sh Using Wget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3f390ea9888bd7f07ccecbb0fb601ea24948f868623b6c3393db5f296049fee1 | 0 | 0 |
| UNC4841 - Download Tar File From Untrusted Direct IP Via Wget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a254bf29c3065c56ea42502ff1804f062fa3bf1acecff169ebb7966e5aec59d3 | 0 | 0 |
| UNC4841 - Email Exfiltration File Pattern | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 92aa9f0124f7f929188d737b6d345047c95ed5bc6bad87c21559dbe238d0c647 | 0 | 0 |
| UNC4841 - Potential SEASPY Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 69ce56c47b0a7e3d28c61a709ca279a5369afc3e6a76ae7f74576338ac4cecc8 | 0 | 0 |
| UNC4841 - SSL Certificate Exfiltration Via Openssl | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1ebc4c174f6064efb43de3a4aaa0ba3acc68bb85642c21032ed5f7a4ac8167af | 0 | 0 |
| USB Device Plugged | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f231038326d2da7583778551de319d33b9b9529e55671b62cbdd58a4a4697507 | 0 | 0 |
| UnReCom RAT (Possible New Adwind variant) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0b787243bca178008ec0c81d915960fab3bbfdc78bc0b77ad770128d2f342b3c | 0 | 0 |
| UnReCom RAT (Possible New Adwind variant) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4d7d569ef6ec13af576994a62b027bbec44b85374393abedc5f477ee650e0455 | 0 | 0 |
| UnReCom RAT (Possible New Adwind variant) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5dee39e59001813316f98d63213edd768463d33a54507273b7feb22753fb9a32 | 0 | 0 |
| Unauthenticated file read in Cisco ASA & Cisco Firepower CVE-2020-3452 (via web) | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 0cfd9195be7ced6620371c11ca6323fee3c0b5d0b9ea805f017a841110683b91 | 0 | 0 |
| Unauthenticated file read in Cisco ASA & Cisco Firepower CVE-2020-3452 (via web) | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 789fc5bb01e3f3b18df9537ead68abfcaacecbf0a526ab8207c7e6f198d8a5e3 | 0 | 0 |
| Uncommon Assistive Technology Applications Execution Via AtBroker.EXE | Mateusz Wydra, oscd.community | Sigma Integrated Rule Set (GitHub) | 842f615741b9cfb621f4ae3f95d42e256251fe082e0f4c533c1633ffcc70adb8 | 0 | 0 |
| Uncommon AppX Package Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7c13d7196b7cf3506165b5b41f4822271ab412cb6a4c27b9036aea5590da8241 | 0 | 0 |
| Uncommon Child Process Of Appvlp.EXE | Sreeman | Sigma Integrated Rule Set (GitHub) | e95a64931dc936ea0b79a4d48a5cf5f247dc55a78f0cb754480de9f58dcd9ce2 | 0 | 0 |
| Uncommon External Facing Application Service | SOC Prime Team | SOC Prime Threat Detection Marketplace | 1c5a833abe2b826a6d444da72f62ea23742c5770ece407730a66ef8300dbdcfd | 0 | 0 |
| Uncommon GrantedAccess Flags On LSASS | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8cae91f5123a6836e62fa8710765cfb6bc14fe646f30df2ac61ee942a629fa28 | 0 | 0 |
| Uncommon Outbound Kerberos Connection - Security | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 55516cecb3b5273d1166f185e3e1bcd239eaaa5df10cea2fb888c3f4d4e4dbdf | 0 | 0 |
| Uncommon Service Installation Image Path | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 395cbe985c82a45145fc0889813f6c49aa0c6106eb0c796f51548505a7e839f0 | 0 | 0 |
| Unfamiliar Sign-In Properties | Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' | Sigma Integrated Rule Set (GitHub) | 0960a31d612ce9c4db0df6ef113ad74f21307572eba4bc99320a92dee732cf87 | 0 | 0 |
| Unidentified Attacker November 2018 | @41thexplorer, Microsoft Defender ATP | Sigma Integrated Rule Set (GitHub) | b08d52ecad9f030d424d9663403423559c1951018ae4cafc8f10b0ef2ad0f77f | 0 | 0 |
| Unidentified Attacker November 2018 | @41thexplorer, Microsoft Defender ATP | Sigma Integrated Rule Set (GitHub) | b5002bc251d42658f759ab88719976f8698c099d4450bc798cdbf9e219cfab1e | 0 | 0 |
| Unidentified Attacker November 2018 | @41thexplorer, Microsoft Defender ATP | Sigma Integrated Rule Set (GitHub) | c02ac5aedb6c89eac4725d7a30df43b4631994b8ad7cee3473099d0926df9a80 | 0 | 0 |
| Uninstall Crowdstrike Falcon Sensor | frack113 | Sigma Integrated Rule Set (GitHub) | 7319e259606b1d76ca31570f4a8256ad40f0297486f907c00ae96d5721d87794 | 0 | 0 |
| Uninstall MRT(Malicious Software Removal Tool) | Joe Security | Joe Security Rule Set (GitHub) | 65e79d3af45ae35c43129d364f5298d673522c7fcb9fe33b3cd10eb832021e80 | 0 | 0 |
| Unix Shell Configuration Modification | Peter Matkovski, IAI | Sigma Integrated Rule Set (GitHub) | 68a01966efd88c63ae041676509e0ef8575e52fc5281a857c9e53e50618990cb | 0 | 0 |
| Unknown Exchange 0day Relevant Crash Event (via application) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | df18dcdc7e0de08d0a24ac99b5e39af9106c4594de1e213961a00f36bb1fb7cf | 0 | 0 |
| Unsigned AppX Installation Attempt Using Add-AppxPackage | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2f3b1d2c658dbc9834a1f03a745bde48a6246581c4743ab5a367fa110a573901 | 0 | 0 |
| Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4904cdf688011b439421df3982ef9579c40ff41600b136fa566c3ee3620bc150 | 0 | 0 |
| Unsigned Binary Loaded From Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 52df065ad27fb68c7a9748269ee6807a740bbad58d84cb0e10e634e4d5db3498 | 0 | 0 |
| Unsigned Mfdetours.DLL Sideloading | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9d4a210e1fce413ac152a47099ba449b69b9a81e4e6dc7e5e09035ba0b2d975d | 0 | 0 |
| Unusual File Deletion by Dns.exe | Tim Rauch (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | e7ac89a7400fc9dd0df100c1d669a7f242999251c2c8b0c0fce3b2b6de6a9030 | 0 | 0 |
| Unusual File Modification by dns.exe | Tim Rauch (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 7e9cf1866902c13af537edaf7d179eb6d986caec99ff16486322a34b8d8f9ace | 0 | 0 |
| Ursa Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 474d9106c04c0567868d564b0f9fd47bc5094b1d0930bbc47d60fbd690f9fc68 | 0 | 0 |
| Ursa Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8aa514ad684698cba9daddea167e737b38eac3917d5a8c44b11684e4fe0819f3 | 0 | 0 |
| Ursa Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d16ef015b59d30d0df3ba7fbe07aa8edeac37ec141c0ee5852c1a88ce602094a | 0 | 0 |
| Ursnif Malware C2 URL Pattern | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | d983b04ec090162c842c62845c96abbce6bba8d1a7611826053d7ba25fd8918c | 0 | 0 |
| Ursnif Malware Download URL Pattern | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | f320e891edef939c4d89f2e964476f57bf9d8a92415164cce650183f1820be10 | 0 | 0 |
| Usage of Sysinternals Tools | Markus Neis | Sigma Integrated Rule Set (GitHub) | 6caf06038ef037f3ac3da62377560d3544dd6d6b89ac3959ecb666489940b9aa | 0 | 0 |
| Usage of Sysinternals Tools | Markus Neis | Sigma Integrated Rule Set (GitHub) | c2020adce966e19fbcd161d9dfee7f79c0db26018d089ec95e78e41a583fe0bd | 0 | 0 |
| Usage of renamed binaries(wmic, regsvr32) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | c21c41fa3a1749d217cfe78b997b24c415176f9c5f587ddb417fb4893325d908 | 0 | 0 |
| Use Of Hidden Paths Or Files | David Burkett, @signalblur | Sigma Integrated Rule Set (GitHub) | 8d1354dc5493d0fb6e4a095171c3149c23d30ebf94615e365c929586e3377935 | 0 | 0 |
| Use Of The SFTP.EXE Binary As A LOLBIN | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a069144dec00288090d91cc6d2819598d766dbacfe7fea3d99db45e584e16311 | 0 | 0 |
| Use of Debugfs to Access a Raw Disk | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | e44003037576d0f894fcce984d49fa4553f8ef93a8dc2361877e5525daa348b4 | 0 | 0 |
| Use of Legacy Authentication Protocols | Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | eaecf1b821f4ae8e60abcee93d4f47189877d34662aa751d0e0afdacb09b42ea | 0 | 0 |
| Use of Setres.exe | @gott_cyber | Sigma Integrated Rule Set (GitHub) | e5133d8b08b3ee12d49e47c6fca47525621545251170b598430b7a5af2a40efb | 0 | 0 |
| Use of VSIISExeLauncher.exe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ee623073c7ba0607d0ffcaebe48189e0103fce07699171a128d3e9ec423a7134 | 0 | 0 |
| User Access Blocked by Azure Conditional Access | AlertIQ | Sigma Integrated Rule Set (GitHub) | c40f9bf14b74802e89f6f64d76fd9c7700fe103474cfc637cd33d1fef4c7f287 | 0 | 0 |
| User Account Hidden By Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 56111de5ed278e91db489f073c3588c47751272535dbf96b5a22adb9240b42e8 | 0 | 0 |
| User Added To Admin Group - MacOS | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | a97494c6bb936418effa72b32b625cff9ae077fcba3a5a7a92073d8849d6e6ae | 0 | 0 |
| User Added To Admin Group Via DseditGroup | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | a1fbaefb97a0af3898c29634542046ded26e95d110f1731d23619edead26f3a1 | 0 | 0 |
| User Added To Admin Group Via Sysadminctl | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | b3d38a4e1528c7a534bd34bbe4cddf52ebafe46cd78ff9330e7e94d8def3fa9d | 0 | 0 |
| User Added To Group With CA Policy Modification Access | Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' | Sigma Integrated Rule Set (GitHub) | 4e4068f62d77c9cf12c62b34935a2bcc0f5455e70b73aa899a1d2312996bddd4 | 0 | 0 |
| User Added To Highly Privileged Group | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ed42d985ebe7582bc165828affdaf85ed669feb34b818906d5c4ea80a6aa8cd7 | 0 | 0 |
| User Added To Privilege Role | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 6ae533b0f16db4db3f61df052244c932bd1596e0f099c69e4f749eb31f66b644 | 0 | 0 |
| User Added To Root/Sudoers Group Using Usermod | TuanLe (GTSC) | Sigma Integrated Rule Set (GitHub) | 6b2fe5864b124ca13d2798f2909f4aec0bcf7b4cc4031cb92659113cf926b349 | 0 | 0 |
| User Added to an Administrator's Azure AD Role | Raphaël CALVET, @MetallicHack | Sigma Integrated Rule Set (GitHub) | 339c344d69b808b4c773cb492f914a59b8d3d67cc415f392ef0202cbe4837d7c | 0 | 0 |
| User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' | Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | 11a18935f3a8e1e4c4cc09e59d69155a1777e2762605adcc495c58cc96abce1d | 0 | 0 |
| User Logoff Event | frack113 | Sigma Integrated Rule Set (GitHub) | dc41474393f8b1bb12ed77d073f3c9caeae29a2c52bed4e38b0eeb7dc096717e | 0 | 0 |
| User Removed From Group With CA Policy Modification Access | Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' | Sigma Integrated Rule Set (GitHub) | 56ff8902a91c340fba7751e6f001b6df01f61c5c7016cf767671d01e5e8b83ad | 0 | 0 |
| User State Changed From Guest To Member | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | c8265ffa5537846bcb318002b32fe0203851fa7fb6902d8a370d0167897ae0cc | 0 | 0 |
| Users Added to Global or Device Admin Roles | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | 28901a8164592dc9ae0a711e39a5fd87681db7a1fa8153e1d92469bf99f67c7d | 0 | 0 |
| Users Authenticating To Other Azure AD Tenants | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | 3a5dc528ef393315b09dc27af65a0e34e86e4841166fe15c4bc23a53b6a20d98 | 0 | 0 |
| Using SettingSyncHost.exe as LOLBin | Anton Kutepov, oscd.community | Sigma Integrated Rule Set (GitHub) | 90604343649b0a434f2aaf1ac225f1535b3d2b0766ba92bc80cfaed426f07695 | 0 | 0 |
| Utilization of "expand.exe" to deploy files from "Temp" folders | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ade628a427870c8c3442dd7aac9c2d401c3e96ef82d4b92d8128cdeeff3062e9 | 0 | 0 |
| VMGuestLib DLL Sideload | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7728a2cbbd2433e4ba58ba22b327fbed7ba0e274a6c13f6ed6132ecfd33a32a9 | 0 | 0 |
| VMMap Signed Dbghelp.DLL Potential Sideloading | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 784c07c8b34e1168e32c433106c9d95f4198a8fcff9f406cf56f34d9830b042f | 0 | 0 |
| VMMap Unsigned Dbghelp.DLL Potential Sideloading | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 082557e778780e1b1845d3e703e5cbe8d3ea60e302c98c78d2127999c277c97b | 0 | 0 |
| VMware vCenter Server File Upload CVE-2021-22005 | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 307fdbfc019c602d9b897165bdfdff09e71bae733f6e0a8b5305ca81f5f7cc6d | 0 | 0 |
| VSSAudit Security Event Source Registration | Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) | Sigma Integrated Rule Set (GitHub) | 82ec398800a85ecb732c915486c59e1a4abe901700e658ccab6308f47245e33e | 0 | 0 |
| Valak Behavior (Sysmon and Cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bd88e7274c701ecb8921074eb102f73f8f0d4a5ac0708ddae5a1e369ef71569b | 0 | 0 |
| Valid Users Failing to Authenticate From Single Source Using Kerberos | Mauricio Velazco, frack113 | Sigma Integrated Rule Set (GitHub) | a3ae92169de3a473b385950d6a3e85b2a991c8be31e68ccb84577f16515c3407 | 0 | 0 |
| Valid Users Failing to Authenticate from Single Source Using NTLM | Mauricio Velazco | Sigma Integrated Rule Set (GitHub) | 05e5abf2c5d151e82602b134f795f3449e651ab33f591a2f4a98aab8d54031f9 | 0 | 0 |
| Veeam Backup Database Suspicious Query | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 02ab4d1d7b20c1483401a052db453d31a1279e4d07c97cb0a63e9cbceb23ea88 | 0 | 0 |
| Veeam Backup Servers Credential Dumping Script Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0de9c38d23396595d72b0260301946f4862519515b73a02737377c862f888baf | 0 | 0 |
| VeeamBackup Database Credentials Dump Via Sqlcmd.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 912e511ef1e7ba499a5cf1552134869bb633ba21adbdddb20785e6c3ab04e761 | 0 | 0 |
| Vim GTFOBin Abuse - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ac5bf066ac84953fc0ec69419bf2f8a7bb3c62256fadaab219b67a8216a86e1f | 0 | 0 |
| Visual Studio Code Tunnel Execution | Nasreddine Bencherchali (Nextron Systems), citron_ninja | Sigma Integrated Rule Set (GitHub) | ce3375fde5baee5b30869d7fef57755699d5c5746797e9d5b8d340907990028e | 0 | 0 |
| Visual Studio Code Tunnel Remote File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 15ad665f8c076c09c7570e6bce8bd1427c79e667c7e54616f90dba4d158307b9 | 0 | 0 |
| Visual Studio Code Tunnel Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9d0f8238a591d140a723c8baf568593a91dc87ef9b219027376c8e8b2a1fa263 | 0 | 0 |
| Visual Studio Code Tunnel Shell Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f76cc179eda8c933fe2ad43b2cf8f43a9222bce56c8bbbae0963b3e56b50b82d | 0 | 0 |
| Visual Studio NodejsTools PressAnyKey Renamed Execution | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6b0a480dce7ab2e7b5ab4d19e862a01b3cf23bd196963972c2303c12f9abd4bc | 0 | 0 |
| Vjworm Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a274e14c306334155818a08604184fc950850cf7facfe0df879c1608fda2cc4e | 0 | 0 |
| Volume Shadow Copy Mount | Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) | Sigma Integrated Rule Set (GitHub) | 632fbc79a450be1208f0c3c1246793ff703d551fb7163488db4d1de2b2483d5a | 0 | 0 |
| Vulnerable HW Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b919d89a4b8aa0f73640c2c74767522029958fe0b18e389d11faa0049b5c7fe1 | 0 | 0 |
| Vulnerable HackSys Extreme Vulnerable Driver Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c3238787747f1f397da43842b3f4cc790fe5310869f27bc4de73114f876bf1c5 | 0 | 0 |
| Vulnerable Netlogon Secure Channel Connection Allowed | NVISO | Sigma Integrated Rule Set (GitHub) | 3f84718f22c39831d8b99ef0dc98874d6e50b02602ada051c9eafb98360fc647 | 0 | 0 |
| WCE wceaux.dll Access | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 183cf5523bdd58d20e93e3b2bb367c38caec4fe344a0aea45722954e9fe9ed9f | 0 | 0 |
| WMI Event Consumer Created Named Pipe | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 01446bc086a25ac157aacfacf8ca447f2f195cd8dd67c3a8cb6a881dc5ac53be | 0 | 0 |
| WMI Persistence | Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community | Sigma Integrated Rule Set (GitHub) | 58154fd247cd9b589c6903a15ffa196e0e50cca640eeadc0ca86c289dbeae3bf | 0 | 0 |
| WMI Persistence | Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community | Sigma Integrated Rule Set (GitHub) | 85bc7739560701dd55a0c7eab1ee7b00c0ddea32b913c6e0b6798b889419591b | 0 | 0 |
| WMI Persistence | Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community | Sigma Integrated Rule Set (GitHub) | aa847a1640b2ae82a6149c6f0b44f8ec7170516b4502113a92de7898285ff89b | 0 | 0 |
| WMI Persistence | Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community | Sigma Integrated Rule Set (GitHub) | f674f8881516524de991b8439ddd2248fd25bacea659a067680337c89b7a6c5b | 0 | 0 |
| WMI Persistence - Security | Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community | Sigma Integrated Rule Set (GitHub) | a9246010da9b679de378be05b2d90c9171220c5fd5b0545883bdad8a49e9811c | 0 | 0 |
| WMI Reconnaissance List Remote Services | frack113 | Sigma Integrated Rule Set (GitHub) | 122d74917c1ba5d7e854a6a25e2ce8bd997bfe1398c7b5ddaaecb88edf02edd8 | 0 | 0 |
| WSH RAT behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0d8ca71c713cdf5f939ca8eea9288f6c9c665f224016b4672972ff569c13bb16 | 0 | 0 |
| WSH RAT behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9fb650b5e787c7d815eefa0591bfb991ad5773d231d11d1acc58ac460648e903 | 0 | 0 |
| WSH RAT behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c542efb138f0e8fde0df28089aa73fd35cd12a439000e607e4e10b10ecb3f743 | 0 | 0 |
| WScript Launched By Powershell | Joe Security | Joe Security Rule Set (GitHub) | dd10c5eb1b4cfd51330d892c57a9cfe7ce41ac02ee121c141435ea97a71bb073 | 0 | 0 |
| Wannacry Killswitch Domain | Mike Wade | Sigma Integrated Rule Set (GitHub) | 1835f85f70bcf5e9613228e05d8ab33dae73c11d41a4e5876ceb6f2002b31167 | 0 | 0 |
| Wdigest CredGuard Registry Modification | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 6b2853b0e68d3b3c786df7c3960aa8764840caaee74ca35f04ee828c6df43a68 | 0 | 0 |
| Weak Encryption Enabled and Kerberoast | @neu5ron | Sigma Integrated Rule Set (GitHub) | 2be706f3f2686605d5ee19c899ca7bdb688e826ad3b82c1c873627c8aad568bf | 0 | 0 |
| WebDav Put Request | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 52301a573727517b97c3069178ccee0ad367c8581abc440bbad2eec03af8c709 | 0 | 0 |
| Webshell Detection With Command Line Keywords | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community | Sigma Integrated Rule Set (GitHub) | fadc206ec1e9e99804969634aed9b633228630e0a72122317cd3e674846a8c7c | 0 | 0 |
| Webshell Hacking Activity Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 090a4e0f86cd79615ec9497fe86d20f669ba462456650789957743e9f0d2b86b | 0 | 0 |
| Webshell ReGeorg Detection Via Web Logs | Cian Heasley | Sigma Integrated Rule Set (GitHub) | 3b59889f7c01566d9506c1b2b7b8b37af0e7f21424d03390fc64c4f32e4328f6 | 0 | 0 |
| Webshell Remote Command Execution | Ilyas Ochkov, Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 6f8b96808977daa36d34a09923e361bdd17a9353c89c25c73253f29bb35b833d | 0 | 0 |
| Webshell Tool Reconnaissance Activity | Cian Heasley, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d9519d30d9c273a67a5b26f64e780cfeec59454accd4f3237419da2afbb82c8d | 0 | 0 |
| Wget Creating Files in Tmp Directory | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 3ba440a3a16379936b3dedb5560cd1507305acd4fb83278b8966c7306075d1a7 | 0 | 0 |
| Win Defender Restored Quarantine File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 40c49d33668c9f0f3cfccc3a77c3c97ddd40be6255bc5c73e68e52d69a5766a8 | 0 | 0 |
| Win Susp Computer Name Containing Samtheadmin | elhoim | Sigma Integrated Rule Set (GitHub) | f15178ca26b342888299489ddb508bd98df518559135f4ba262e4d4d3ced4c06 | 0 | 0 |
| WinDbg/CDB LOLBIN Usage | Beyu Denis, oscd.community, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 93807d89530fb696ca050ed3db0953ce414b88509cf142223144b53058957b9a | 0 | 0 |
| Windows Binary Executed From WSL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cd43ee2d94d772e665bcfa48cb7947896af901119dd066239a467331d3c819ba | 0 | 0 |
| Windows Credential Editor | Florian Roth | Sigma Integrated Rule Set (GitHub) | 2120dcc15751868d99ce91b7721c2a27b2b8b8d542b4621a0ece4594a4cd73b2 | 0 | 0 |
| Windows Credential Editor | Florian Roth | Sigma Integrated Rule Set (GitHub) | efb250f52392ac4446104881ff38dafa4934fa84d2f3357065c51b4873c737fc | 0 | 0 |
| Windows Defender AMSI Trigger Detected | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 9944cda138f9f219e918f109ce968902b602a32f60c6ed006bb112b15ba2dede | 0 | 0 |
| Windows Defender Configuration Changes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d9f0bb23c43de6f9d9053f483a0c1f6130434af54ae4dd0d50ccdbaa3bb1a070 | 0 | 0 |
| Windows Defender Exclusion Deleted | @BarryShooshooga | Sigma Integrated Rule Set (GitHub) | 9f8f2e538f8940225963535efe13195a21ff11fbd854ae4a4839213643b7c973 | 0 | 0 |
| Windows Defender Exclusion List Modified | @BarryShooshooga | Sigma Integrated Rule Set (GitHub) | 73152f171f55d7f7043c1736f071e1ac55ec0708b0d000c9a777765f048ebfd4 | 0 | 0 |
| Windows Defender Exclusion Reigstry Key - Write Access Requested | @BarryShooshooga, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 29051fc71a16779223e0e3bf42ba8b7a5e0b066a0b0cf3a34684da1337ca0f4b | 0 | 0 |
| Windows Defender Exclusions Added | Christian Burkard | Sigma Integrated Rule Set (GitHub) | 20ee93291281ad45d4704a39eb182e955d4353c917a1872e15423a2ebfef6378 | 0 | 0 |
| Windows Defender Exclusions Added | Christian Burkard | Sigma Integrated Rule Set (GitHub) | 2231f93169c7efed228559b8ba20664ec6cf05f5a2df8494b89151752237fb8c | 0 | 0 |
| Windows Defender Exclusions Added | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 52d226d49903df8a4f8ad9d9c7932a887e76679a19f5dc4a55db4471cb55b454 | 0 | 0 |
| Windows Defender Exclusions Added | Christian Burkard | Sigma Integrated Rule Set (GitHub) | aa5b43fba93f194b9cb53e9215833465cb9fbfb8f9787ee9ac6ec99db12d40b7 | 0 | 0 |
| Windows Defender Exploit Guard Tamper | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5b67a2f8e02b15ee631c054972ba527505c95ee81616bd7f19a214632f855a2a | 0 | 0 |
| Windows Defender Grace Period Expired | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | 1bdcc2dc845603bf60227227d1cd0c2902ed43f2c73a43c193f83cf7624a50d5 | 0 | 0 |
| Windows Defender Malware And PUA Scanning Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | 792bdcc04027f8aa778f6f4ee57197ca5cccfd042175e97de0f4786571d9c163 | 0 | 0 |
| Windows Defender Malware Detection History Deletion | Cian Heasley | Sigma Integrated Rule Set (GitHub) | a69f67541c11d90298cb228bee82651387015e4cd30917b3511fde5c028f1eb0 | 0 | 0 |
| Windows Defender Submit Sample Feature Disabled | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 17c80ba51043879dda142abd54f791583a8411715348463957a3f0ac5c98d6e9 | 0 | 0 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | a6317aefcc7e070bf2d65b66a15af84858276fd8c4350ccb4cc0bc93261757ea | 0 | 0 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | ed87c230c6d4207b37197d5b9085406475eec57fdb0315aa3f474a07c39806f6 | 0 | 0 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | f2d1be0ba54a53b3a9599c9697ecd28df209373ff460d809e0da374627734853 | 0 | 0 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | f41376cbd0bf111c80a06c14f23ee727ec0a64de4ab379cc3853b54b5d945035 | 0 | 0 |
| Windows Defender Threat Detection Disabled - Service | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | 7998082d3f734247061e2d59f83e2a3a523414bed9e74c2adb7bcb0404abce97 | 0 | 0 |
| Windows Defender Virus Scanning Feature Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | d94c45e686425cd40427c11b8330754e07bc58272b1cb384c1f60555432ffc74 | 0 | 0 |
| Windows Event Auditing Disabled | @neu5ron, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d73609956e7379a0917a1fd771e4351b523579011a752df34e3ed749bf878180 | 0 | 0 |
| Windows Filtering Platform Blocked Connection From EDR Agent Binary | @gott_cyber | Sigma Integrated Rule Set (GitHub) | bfa1eb477b52d7559d5959d24a69f63c570cec4b16f131e2a1a57dd875956a89 | 0 | 0 |
| Windows Kernel and 3rd-Party Drivers Exploits Token Stealing | Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule) | Sigma Integrated Rule Set (GitHub) | 25ad3dcfbd1578bd1784acb166bf4273467664ef291ec4722fa1e4361346b135 | 0 | 0 |
| Windows Management Instrumentation DLL Loaded Via Microsoft Word | Michael R. (@nahamike01) | Sigma Integrated Rule Set (GitHub) | 3e47f5ae1f3a80668c79b22bb11fbfefb4a1a9c5078948a80bb884fa77e652e4 | 0 | 0 |
| Windows Network Access Suspicious desktop.ini Action | Tim Shelton (HAWK.IO) | Sigma Integrated Rule Set (GitHub) | 36c3fd2415b8f3380675ca1f08c111880d08658ed378668a4f954f239d1190dd | 0 | 0 |
| Windows Pcap Drivers | Cian Heasley | Sigma Integrated Rule Set (GitHub) | c93c0cd47a9a01f1270c2cc43da3d19744639e155de50e64311df30ce6763d16 | 0 | 0 |
| Windows PowerShell User Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 107a4de06e843fc296a19ef4626692a39338e909a237bf8636b24aef02e6dbba | 0 | 0 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 8f476a2016a135fab13276812845b457aa420dac974d15d909682f6d25fefbec | 0 | 0 |
| Windows Service Terminated With Error | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4ec2907dc85eb9f20f75afd858b2070cf4f603843ab2872b1a86a93eb926ff34 | 0 | 0 |
| Windows Spooler Service Suspicious Binary Load | FPT.EagleEye, Thomas Patzke (improvements) | Sigma Integrated Rule Set (GitHub) | 36004bbb9055623fa5dd3851566dfcd02d35df3bb87caf7ba2e7e876268fb66d | 0 | 0 |
| Windows Sysvol File Modification | SOC Prime Team | SOC Prime Threat Detection Marketplace | 3d8c9cb6ebe5a3e7f4ebd1898e2d1b488d7b3118afdd8cf4e5a3e5bfd012a7ba | 0 | 0 |
| Windows Terminal Profile Settings Modification By Uncommon Process | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7ff9766480f16e8627c4519516666fefae3297969286368599159595c930fb3a | 0 | 0 |
| Windows Update Client LOLBIN | FPT.EagleEye Team | Sigma Integrated Rule Set (GitHub) | dab442a95ac4a7904c20db69e9f390b99d4b5268e3afd391c43a1c522ad4b3f7 | 0 | 0 |
| Windows Update Error | frack113 | Sigma Integrated Rule Set (GitHub) | 879bef301d05e0c53bf1deb87f0ccdd7cba387cea145b72e6110cabcc2a30343 | 0 | 0 |
| Windows WebDAV User Agent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 917187eb4a5bcdd061118cd2392a86d4b4a05e138f59f268c5906f5df879ff88 | 0 | 0 |
| Windows Webshell Strings | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 82f06847ea3a21b3565bc4d6d23aa0872cca19e1c69046bfffc795ba9dc7f76e | 0 | 0 |
| Winget Admin Settings Modification | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e4f60c805b5ead941d59ceca590f11d05d926a9416b95c64b50c55febc7e1a49 | 0 | 0 |
| Winlogon Notify Key Logon Persistence | frack113 | Sigma Integrated Rule Set (GitHub) | 4edd1b8a91c2781bd88eb5be92c3ab1e0f5498018cb1efb7d6fe4df7f2be05c3 | 0 | 0 |
| Winnti Malware HK University Campaign | Florian Roth (Nextron Systems), Markus Neis | Sigma Integrated Rule Set (GitHub) | fa921a7a680703d8b1c263a0eba9bec48b3361492b6ea0424931dba980c317fd | 0 | 0 |
| Winnti Pipemon Characteristics | Florian Roth (Nextron Systems), oscd.community | Sigma Integrated Rule Set (GitHub) | c1e10ac2693c07c301e475b876c1c19fee91b87063b8908441ea3c5279ae0f65 | 0 | 0 |
| Winrar Compressing Dump Files | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 751aa9f10bb034af3fd96ddfd10baf6ff799f92e0d2802249e1d957644c16591 | 0 | 0 |
| Winword.exe Loads Suspicious DLL | Victor Sergeev, oscd.community | Sigma Integrated Rule Set (GitHub) | 1441bc53b94995e7a28e23c96d5c3742700e48b1cb9d1954b559f58eba877e94 | 0 | 0 |
| Wmic Launch Msiexec | Joe Security | Joe Security Rule Set (GitHub) | db017371e0e4d727e167ff37855a4a5e1c6a2341edbbe11beb3b97caecdcca09 | 0 | 0 |
| Wmic download via msiexec | Joe Security | Joe Security Rule Set (GitHub) | 0104f72cd9f54a0c07ad11f45d22d923453e62473b89d3af0a474a3bc1dceae7 | 0 | 0 |
| Wmiexec Default Output File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 78a8ea43129a43ee0f26eb58acbc09d97a0df4c44bdc1a4e067135941cf9699b | 0 | 0 |
| Wmiprvse Wbemcomn DLL Hijack | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 15aaaaea2f031734f9cdf2b6b2daccee96287228d9b63de3ef8ae60bb64c31d5 | 0 | 0 |
| Wmiprvse Wbemcomn DLL Hijack | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 62987a80e784c70fc4631c63515a0e98b3c705e1d044ad445298bdbe93ef6002 | 0 | 0 |
| Wmiprvse Wbemcomn DLL Hijack | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | b20f50174b7445b6c6fde810dcacb4c33c3a76f0102c37667f15cf44550c8ea8 | 0 | 0 |
| Wmiprvse Wbemcomn DLL Hijack - File | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | b2fa9548d438421a3ea1321b77228fbd3bd81a77dc8dc2f6b7c5ca51b335f139 | 0 | 0 |
| Wow6432Node Classes Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | b8e0eed90b7762f65047e747e751f1b66397e091c997b89270e3f30cef044193 | 0 | 0 |
| Write Protect For Storage Disabled | Sreeman | Sigma Integrated Rule Set (GitHub) | 909789172b6e132b51b9baf5ca447732e8d01ea892f0b2af3d78463800617785 | 0 | 0 |
| Wscript download file into temp location from wordpress site | Joe Security | Joe Security Rule Set (GitHub) | e4fa44290012b08a6024fd7259647320ed7bcccd8f789391420ae07ec797c56c | 0 | 0 |
| Wsreset UAC Bypass | Florian Roth | Sigma Integrated Rule Set (GitHub) | 96334f64d755424fcec72b4881263e66f022d62103fd2ada696b2264912d1cf5 | 0 | 0 |
| XBAP Execution From Uncommon Locations Via PresentationHost.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a92f0f2a0c39160d3e7f5d285e22beedb4e44ac9471c4675711203fabcbde79f | 0 | 0 |
| ZOHO Dctask64 Process Injection | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d0e9ddaa18a4b91ef3ab1e800b63bf10c6cc73617c12d346033dea7e84c6e584 | 0 | 0 |
| Zeppelin Ransomware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1dd1813f8e36c59d89368c568c00d0b7df113cf1294162c9aa9daa50f72759d0 | 0 | 0 |
| Zerologon Exploitation Using Well-known Tools | Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community | Sigma Integrated Rule Set (GitHub) | b78e7cfa9a545243900dd20e214093ca8ccdfb84c4e2701d711df94c2325ad45 | 0 | 0 |
| Zeropadypt Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2903b1fee135b2ab2e99ea7d454b87f0387bb5adbf0a87b8a952cdf559cc0fc0 | 0 | 0 |
| Zimbra Collaboration Suite Email Server Unauthenticated RCE | @gott_cyber | Sigma Integrated Rule Set (GitHub) | fe30819d686fee877ca45810467da758e2b1fcd3b7ec78a5b418774b1046a8cf | 0 | 0 |
| Zip A Folder With PowerShell For Staging In Temp | frack113 | Sigma Integrated Rule Set (GitHub) | 14067c72922c986650e783f9228ddb9fe698c382df3698e163c4f670cf050465 | 0 | 0 |
| Zip A Folder With PowerShell For Staging In Temp | frack113 | Sigma Integrated Rule Set (GitHub) | 4d383989e445c74fd8a77bd2cf57f7a1ffccaa221d9d197cc2167b4023e34425 | 0 | 0 |
| Zip A Folder With PowerShell For Staging In Temp | frack113 | Sigma Integrated Rule Set (GitHub) | c85d82a8951189fc9e17094e9738f8f03ee60e483cb4725d6062de14e1663ff1 | 0 | 0 |
| Zip A Folder With PowerShell For Staging In Temp - PowerShell Module | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | deeb1a213004e4f328c59f035fe5bdbfe766ac3d8a0ea7f9a916c12bc145491f | 0 | 0 |
| ZxShell Malware | Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 9f3c5ba78b1be158567ab3b450ff989c464b256ea5a1f60dbf4fdf93d57d249d | 0 | 0 |
| iOS Implant URL Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c902b9b5f87c7faea1b8d842747d3620db497a294d8484a4d4f30d8efb95f770 | 0 | 0 |
| ixware Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8b103e0e94ed879b2e6703457646fa5fdedf95419931f137df2e5938b4c484be | 0 | 0 |
| ixware Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a2a24aed37f8a38265874ac807cc47897929c4c717e16c01e3757dce513e1b8f | 0 | 0 |
| ixware Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c1badf4bce1bace265e5cf652abbe2eb12efdb34e62690f367fcb35a7dfa2c64 | 0 | 0 |
| njRat payload | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 3199f91af1499ae38d1caaccdebf0b49c00acab265a73ae5522d9c9bb2d4178b | 0 | 0 |
| notepad++.exe DLL search order hijacking(Sysmon) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 088db9822e808265d50798b894fa0f13dc765ec299836dddc752dfe4b8829071 | 0 | 0 |
| powershell registry execution via wmic | Joe Security | Joe Security Rule Set (GitHub) | f33d9692bdb337bf2369df43be996b214f4819827e400c798075464804b0c4e2 | 0 | 0 |
| smbexec.py Service Installation | Omer Faruk Celik | Sigma Integrated Rule Set (GitHub) | 5a4bf43081cef897622ab39eb1011671616e9b2dd0dbea9e10669d85790dcd9c | 0 | 0 |
| tencentsoso.exe DLL search order hijacking(Sysmon) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | e11fbf7c8ec3e7d6d9b7b81e6199ac7b3c7ff5da85494aa9578263862a0bc54a | 0 | 0 |